23542300x8000000000000000294695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:22.658{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B68861220BC9AC1BE1D9EC19F672359,SHA256=54934F9FFF771EF9AEC3379C214F5BFC26EF9AAA79DD48466994FEBA29C199DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:22.487{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5D2478B288C4DA22E4651395DAE5F2,SHA256=430975F3682D86A0D3878A41B5C64DB9160481520FC45F29B1438297B1B4DBC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:21.534{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61321-false10.0.1.12-8000- 23542300x8000000000000000294696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:23.790{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9423455D4632B87A44D2A12A68994115,SHA256=EACCAC2F4263C04DB8FB223272961543D6F5FFE4D100288989413796C7213364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:23.508{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B792992772635EC93734E1DD993BDDCB,SHA256=607D2D7FDFCDE4BA199CA75A0315C94C99C349156209CBDBD942AF6666360736,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:21.688{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54833-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000306032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:20.967{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54832-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.939{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A280F38178C6F802B5C64FDE88D404,SHA256=26AA9D4F54BF618ACCCFF41D5BAE85B392C4A5AA4230E1F118D2C7376331D218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:24.592{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E12CCD88547B77C8AFE8EEAFDA8911B,SHA256=2CA4D1182831E94B0232D6EED9118D981F75F89F891FEFE894AAE4DA8AC4727B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.722{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.712{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.705{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.701{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.699{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.672{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.664{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.653{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.648{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.641{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.634{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.626{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.615{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.603{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.593{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.582{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.497{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.494{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000306037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:25.692{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF9172CE0A581264243EA0F2366459F,SHA256=3D14B920521CC4854E5D3E1FFF6304B52B36F4E6D703BEEDCB9AEACE184E29A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.184{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.182{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.178{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.174{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.172{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000306036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:25.292{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D959744D99944152D44B43D68BA6E01E,SHA256=B93387642590173E60C768F83E059A9E5DDFFD639A535DA83BF329725CF60681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:26.711{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A12A3D8A817539CAD0760E5DF22188E,SHA256=94083344AF2E02EA6F25249F97DA957B35B9077F587983A823540DBDC1900C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.791{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.791{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.790{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000294729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.783{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000294728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.782{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000294727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.780{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000294726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.778{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000294725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000294724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000294723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.774{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.010{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7681C5DC10641746A29AC19C6FBE191,SHA256=E3845C81625488DFF052E9F14DFC6970DD5CCA5AF74D1AE458FE24579B924B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:23.958{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54834-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:27.841{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFB4B5C61F82DF8F4A4BDE1C9156D95,SHA256=50CF0EC3652C0EFD06B365A3EE217AD5EA301043CA0D60F76045A807BFCB45DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.900{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.898{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.896{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.893{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.890{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.887{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.886{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.878{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.852{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.844{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.832{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.809{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.803{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.794{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.790{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.788{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.786{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.782{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.779{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.776{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.774{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.773{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 13241300x8000000000000000294756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 13241300x8000000000000000294755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000294754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000294753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d8b79f) 13241300x8000000000000000294752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xc7304efc) 13241300x8000000000000000294751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d8b79f) 13241300x8000000000000000294750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xc71deaa6) 13241300x8000000000000000294749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000294748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000294747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 13241300x8000000000000000294746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 13241300x8000000000000000294745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 10341000x8000000000000000294744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.694{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-CFFE-6305-0100-000000007502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000294743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.690{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 10341000x8000000000000000294742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.573{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.573{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000294740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.573{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-854.attackrange.local 10341000x8000000000000000294739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.573{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.246{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.242{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.233{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.232{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.226{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000294733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.094{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B6C86BE8E620B15C7FC0DB47979898,SHA256=A0CF9913DF592581BAFA0D06CB38B862CCFEE544409A0BE352468D5069A3D00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:28.957{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F6033F1F7B2CD3EF92F69D30C0C087,SHA256=745EF4274AF12108BAE0BBA8CC611E626C5EC9CB44460405E67BC6B41E9389AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.154{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61325-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000294786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.154{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61325-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000294785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.047{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61324-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000294784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.047{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61324-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000294783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.038{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61323-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000294782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.038{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61323-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000294781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:28.625{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=330839E3F67EF3D1A7A1691EAB130E36,SHA256=760223DC039B9D9716F60EB90622F22F89969300D842926DFF5F97B4F45F6EB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.671{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61322-false10.0.1.12-8000- 23542300x8000000000000000294779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:28.425{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31699DFEE118DF11B9B0D4646A0101DB,SHA256=E462D114942C535AF760445236B1D3F19231C0C8D2280E144672E7954C31A5EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:26.130{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54836-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000306041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:25.977{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54835-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:29.509{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24202E742E35645CC9B200CFC405CB2,SHA256=604BEB0FA2232049F909C0694B44BD3A747CB276A578B8C64600128D888DBCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:30.655{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C54BBCC340A00D2B90D92D66281A80E,SHA256=54B95603C63CFEBF13FACB553AFE5AFBA480A3981379A16C3FACBE7D9BE9415E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:28.328{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54837-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:30.041{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A03B738D5DBAB1C4CF4C81C52344A6,SHA256=BD8C361473D1ED1BF5D7915F8AE41AE2391A973754C434FA4E0BD7F1DB1864AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:31.772{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F93625A3AC4BB6C13AF547EFF61DD0,SHA256=A2759C9D1005839E7E5CAD596E8CBC1790C5579014625343B530E8BDD0331ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:31.171{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37C1D33C6102F2CCADECAF9DACB115B,SHA256=6175E40F8996443B6693787184D61EA95B02723F55E750AD82D0B95885086B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:32.789{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FFE8F1D645B2018F0CF17F1DB0DE60,SHA256=5754F4ABB73F021423A3579EBDD6D9F668FCCA131A1A94FA3A938DC91D6F0820,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:30.528{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54838-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:32.242{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680A713EBA4162EF2DA897FFD1312B66,SHA256=D0E3B1EE28EEFDC69B779754C8FE665E38740A0C6F7FEBEBC5BD856A5278315A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:33.835{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D43DB5D0CCA2570F48A2A449FAA3EFB,SHA256=300A468197298BEDC391E8A8653A6A0BD2D800CA6C91B137DD1B13386D15E305,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:31.985{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54839-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000306049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:33.346{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CAE3A93F2EAE12CC84D5A48297B8E8,SHA256=2B661495238918A49BE6AF08292F57AAD33D12087B9CA0465989D4E22F9BD739,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:32.791{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54840-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:34.457{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F42C1D71109C904FDEF63FEE9DA0A01,SHA256=1733096DF876247067BD993F35B9C59D7EC72D4FBAB91F0EA39A678381633379,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:32.582{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61326-false10.0.1.12-8000- 23542300x8000000000000000294793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:35.066{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296572C058FF03D742E8E0E5F187FC22,SHA256=9392F2561529B8A36021AE14B1112141E36459F8A867DA1B4AD764EB242ACDF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:35.981{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:35.966{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000306053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:35.545{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FB601F79E5B46DBFC0818EB7FA7C5A,SHA256=1C729674201C0D7471F1C03AC27136975F57937C85B9F920D2C2D571A70B60AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:35.093{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54841-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.613{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C63F7C923CF75B814D2AA8176F3F1B2,SHA256=83801E083A0370E51054424C245FE2416BA0B0E97AC637418D8EBD311B3FA870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:36.183{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCFE2505824B2A1DBE786A6FEED99EA,SHA256=CB3FB8D12650492F60878B28137213F2A2EFAD31CE7F2F0FC3E3FF2322191E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.515{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DD9D88B164A1077333E36763870465,SHA256=3DC5862A595F2306E70BF5883108CC6B6F3BFCA0ECCC06E0BD028082813BA8B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.441{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.440{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.439{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.431{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.428{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.424{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.422{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.419{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.414{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.410{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.408{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.403{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.401{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.388{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.362{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.360{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.358{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.358{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.356{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.355{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.338{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.322{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.290{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.278{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.264{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.256{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.254{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.251{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.248{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.244{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.243{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.240{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.238{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.235{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.233{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.229{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.224{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.218{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.215{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.210{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.202{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.200{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.183{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.174{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.161{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.152{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.143{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.127{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.066{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.055{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.043{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.023{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.002{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000306112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:37.729{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F99D694E2735C09D36FFB20C4BE8CB7,SHA256=4108B19BD3A2A36C66DB70ACCD9AA7E73813ABC585EA516FB2CC8DC0CADCEEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:37.284{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEDAECFF52D39788726FC8E264F86EA,SHA256=7A29AEBAB09E062910F97B0B35A597C43B61D156D713150BF81C5D14FE21669B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.846{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0C8D92244D69FF3E7CBB9C7090C990,SHA256=76365C12B8B0877F9CB849227F1AA52FA6C702D6897EA4527CAF2A323D750207,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:37.363{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54842-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000294798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:38.433{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F09CA80B041FF601A5E44D719F5DCC,SHA256=A4FF17EA2B02093324C88D587413A1E9BA03BF714A4E53EA88BE426508011621,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.328{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.328{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.328{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.321{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000306118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.321{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000306117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.320{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000306116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000306115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000306114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000306113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.314{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:38.318{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2A52E706B175039D15D76E4AC66A9F7C,SHA256=FDBF378842DC93F7BE7E22C11C6DBC58E7677EFD4545B4CEE40CABF8C3F2FD89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:39.832{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417D2FC2065F90D0B366B610563D6FE3,SHA256=41BFAB87A9F396E6168BC3C6521C1ECE1346DDA2F976A96A4F2C3F7BFE55A236,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:37.910{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54843-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:39.582{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF61AD7FCC59FADD58E531B673DA11B8,SHA256=98CD18E0B5C8E3546AD851A164D8745EEC83AA073D9A816420556E96DED67A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:39.517{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DB74D7710AFF9FF0F164DF5F5AD1F94,SHA256=9914F5C84FFCDD873222C85D55FBA34717FEDB8F580A21E0C3C28185DA425454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:40.863{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5ACDC0A3A483460581F227B19F4ECFC,SHA256=6111AEF1654B48A75286DE26E3CAC2DB464E631098FCE333A8F1653276831839,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:38.525{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61327-false10.0.1.12-8000- 23542300x8000000000000000294801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:40.582{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CAACA4EC8CB70CCDA30DBA6B7A2A54,SHA256=AE416BE59CD4A5458911021E03580439DADC25BE3EAE64FA6BC3A4B1A640F000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:41.978{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8853D38E660FB43D06712A77C399603,SHA256=711C55D5B9EBE03A884DBDA6FA397CD638F1672B13E0DF9DEE7465868FA008C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:39.634{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54844-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000294804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:41.703{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC16DC4709C3435D7893D1FBB2E1D53,SHA256=01963BC978339596FE6FD9D3A4DC4707939AA1263D3411E35681C28262AF085A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:41.383{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=53A691A3AF9391168BB5003BAEE672E9,SHA256=72D0809B1749E771CEE550E9CEE9A52A51529E145888694A3BF932438747BE3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:42.849{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A3AA617EF3AF6CD364DCDBBF3F0BF4,SHA256=9377BF579EEBBAD27C0734293D46831F765F87E8FFF8BD450266E51E8B0D3E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:42.956{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC86ED15937CC7D5A0E04BEFE4361F37,SHA256=C87EC903B18C16F51B1D2DDB1E3498FB0440FC7E7A07BED3D709CE28A227BCB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:42.897{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-156MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:42.715{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AB16E80A5E6A67A94C1ED5F85D682413,SHA256=B4A15244E1ED16363B96A567F3B47956C41C657E885C171D27A605CD7133351F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:41.849{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54845-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:43.917{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D39E2744D453B04F93BFFC41BA018A3,SHA256=BDF6DDE7AB476043DBE9E3915B25AB762B07C6FB3750103EB246E704CAB98A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:43.916{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-157MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:43.964{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0E8131ADD707C0B232F71C4C557CDA,SHA256=24C48C2383BA3071A067B03EF67540E32710E6D557672DE0309DE52FED0A5BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:43.878{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.635{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.630{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.627{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.624{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.622{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.599{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 354300x8000000000000000306137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:42.960{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54846-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000294818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.594{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.584{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.579{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.573{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.565{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.556{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.547{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.539{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.531{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.518{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.480{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.478{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000306138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:45.146{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FDD6844B57FF38DAD05A962419C57D,SHA256=662819E6E8E7DC6263051F3CF8F12D15926005F313764FD213C4BBB387F3F4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.072{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.070{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.068{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.065{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.063{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000294825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.018{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21059C2ED60EE5F46BADE3E70C83E181,SHA256=B63B8585121225078A3DD64F0DFA363223F0F7C29D7165EC00692AB2FAEA2257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:46.177{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1324CCB32D41C8E0B68E854A8DBF7C00,SHA256=A9C3164064BD81DD928FB511FCAC2EFCCC639331C386D99A745BBD675741DC77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.477{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61328-false10.0.1.12-8000- 23542300x8000000000000000294831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:46.125{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693A6D956B5125165FFB085CA8638D16,SHA256=2382A255B83B79B574C5DA264E22C49D8BB092430870C5C50DC19FC7E4419988,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:44.149{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54848-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000306139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:43.628{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54847-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000294860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.746{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.743{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.736{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.733{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.731{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.728{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.726{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.720{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.703{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.696{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.687{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.671{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.664{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.656{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.651{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.648{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.645{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.639{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.637{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.636{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.634{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.633{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000294838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.217{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4A60577CF8865F8B004D45747BD018,SHA256=5989AF2D940B03E9CC3C39F4DC030FAF641B1239D6789BAEAFB6BC29AB3DA9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:47.214{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D80D665C19B56AC509E4A8E4F0FEDD6,SHA256=7A71F4BA5F1360D3058E91E91281C92E1659FC0918D55C917398FF8873593E8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.122{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.120{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.110{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.108{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.101{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000294861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:48.316{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8C227B9D757D0A5C4A7664279E7711,SHA256=F9F6735A956BAEBAA1B7255AD9297448CBB04783F6440F586099052DA0CB76A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:48.231{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4C06B1D89C06ABBB3A55E39FB0E788,SHA256=5AFED5A98D1A47C6A2FAA5799C91872838970EA433C2A30BB02A31C2816A4214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:49.448{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEF3802C28D3ED98A85B18AAED9CCA7,SHA256=4AD1775A73196199D23AE80C3C31D903528B11CCE0512BA881B5F06BB441939E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:49.346{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9621785A67F23558B423C3C191392C1B,SHA256=2669ED90CF1AAEED79718092237CF6AA022DDD23D72CD5D6352B16B6C4EB86EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:46.449{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54849-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000294863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:50.681{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1149104FB13C61D3228640095FAFEE0,SHA256=D815FCF94879531CE1AF3AC606E621413ED461185DF6E52CCC3FDBA62F924A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:50.462{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72E4E927B98F7F5D067C6F4983B6058,SHA256=32269BBA48C7FFDC57152314891FD0047C2B366473102665E005A82BB299DDEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:47.975{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54850-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:51.802{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C198F82E2F0296545E59AB79825B1BE8,SHA256=E09B9665CB4424A1D4E629BCBBC3A5DE12B264E29DF0CC869DA1BD36A9776986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:51.565{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF932BE5A47BF5BA67FF5C7CB7E4D87,SHA256=26ECD86F9E82B5DE69D8C1E4AE851A152CDC0F096628E7F29822BBCD2C3105FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:48.733{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54851-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000294865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:50.493{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61329-false10.0.1.12-8000- 23542300x8000000000000000306150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:52.677{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EF6B5DC58BA86081C0878ECE9792D2,SHA256=554EAFFE261E14C301959875A719AE3F9C226D53521837FDC18AE4DC6033D3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.861{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1EBAA72DBB4262B09908A2DC722EE6,SHA256=F76E9F080F03D33D6A2F4CF2C65EA6B98DEC94BEDBEBCE58FBFE5A51738A0A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.695{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=83D60C0C30E4A684D4AB3AC5674859AC,SHA256=ACD772EAE6406A3A7CA8583A37C090E09A9C56510D5BCF00FB24BF3466BDB12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:53.064{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71ACA6C72926571F88923CAE755832B2,SHA256=462039D7EA41BA123457DEEA1C86DDE3EF1B5EF219E8538D46ADDEE7EF67D370,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.306{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000306201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.303{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.303{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000306199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:51.033{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54852-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000306198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000306163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000306162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000306157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.132{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000306206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:54.814{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767F73E75AF484E7F3CDBAA51B9A45D6,SHA256=0BFEF98016AE1A478B1AA838CC8C2C1ACFA8C5B50E171BB900FDABB2F7EC6A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:54.571{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-156MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:54.081{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDD26162AEF67DC92F3C8E67DA72883,SHA256=E85111F16673528835A1770EF277C02265CB085E14293BE795EFCA2B728041F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:54.195{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6D1F8E04665E8A8858D036B31182B09,SHA256=B4A70A16A5B12D6EBB2868E72E83C7E294EBB290456358E7C8A8DF12F692B6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:55.582{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-157MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:55.184{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC0A1DA078E22F6B3AE2CEB4E867C50,SHA256=231C8C4F008AAEEB063F13A1CB29C85BA012690F7ACE483C9276C09DCD938EE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.998{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.985{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.977{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000306315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.964{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.963{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.963{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.961{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000306311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.961{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000306310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.959{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.959{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.959{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.958{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.957{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000306305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.957{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000306304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.949{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.947{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.947{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.947{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.947{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.946{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.946{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000306289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.946{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.946{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000306277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000306272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.934{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000306265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F457FBBE130361C5122D075F7E227BD3,SHA256=B686859AA380BC3F634458FB755FC383CC2650D47DD70506776D74AB2D36BA24,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.514{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000306263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.498{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.498{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000306261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.498{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F6616C94996ED541861795BA3A21E9B,SHA256=5BD92FE5C411EEBE7A72C1E2FAE1029912843B39D11C112EE59B71CAFEE296D0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000306251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000306229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000306227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000306226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000306224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000306223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000306220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000306215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.330{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000306208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.233{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54854-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000306207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.042{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54853-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:56.283{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DEA86FEB24538BAB694FF88D2D6E5C,SHA256=C65D5FEC3BE291BDCC5410CAF002E49DE2EED16990D12119A0FA3EA495474382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.348{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C6795D8A2AD50903ED754BF3CEBA32,SHA256=B13EBB6B923BD73B0FE9B1C3B47BB357BD3845889626CFC748639C526526A128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.274{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.273{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.272{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.267{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.265{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.262{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.260{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.257{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.255{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.252{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.248{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.246{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.244{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.236{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.209{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.207{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.206{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.205{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.205{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.204{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.191{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.177{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.152{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.147{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.132{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.128{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.123{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.121{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.119{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.118{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.114{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.113{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.111{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.109{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.107{F6DB49F2-F5E7-6305-8505-000000007602}16884808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.107{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 10341000x8000000000000000306333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.107{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000306332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.107{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000306331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.102{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.100{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.096{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.090{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.088{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.077{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.069{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.063{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.057{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.049{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.039{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.012{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.007{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 354300x8000000000000000294873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:55.711{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61330-false10.0.1.12-8000- 23542300x8000000000000000294872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:57.385{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA106CF3C2856BE1AC364BBE45F0F8C2,SHA256=08B67B0BA531B035E222717E492DF73827CF4DB712DD4FF5FDD77D568191CED1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.676{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000306424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.676{F6DB49F2-F5E9-6305-8605-000000007602}61244128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.676{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.676{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000306421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.515{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.515{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.514{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.514{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000306386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000306381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.496{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.493{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000306374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.176{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6563F11BEED89C92A49CBDD5A5D96AD7,SHA256=267FB08A08683EDA88ED786A4DD27A40FD270D5D4AF5C00C5875A06E8C57AFCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.513{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54855-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000294874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:58.519{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3883FB322FE4F9276BDD2BA9594E2587,SHA256=2F4712026CA934B3D42B90CD458568DF1A557A0BB3448A5740F538D00872365C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.879{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000306535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.879{F6DB49F2-F5EA-6305-8805-000000007602}21643752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.863{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.863{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000306532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.827{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.827{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.827{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.826{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.826{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.826{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000306526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.733{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCEB63B01E4F8532401B1C7FD3BAAC2,SHA256=428B8B277C09983020DB44DA6610B92B9160761A8F1164DB1471A99155821F03,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000306490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000306485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000306478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.378{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000306477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.378{F6DB49F2-F5EA-6305-8705-000000007602}49284664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.362{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.362{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000306474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.315{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16277692CA8DBA03BCC320119FDBE1F4,SHA256=B991A75027B8881CD8DFDC09C3BC9D61C81EA3CE94B75BE404D74C75A0755024,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.199{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.199{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.199{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.198{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.196{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.196{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.195{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.195{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000306438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000306437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000306432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:59.634{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826546BFBFC5E3FC158A61DBAFB7591D,SHA256=90C1577EDF563B63971AFA98C0763D804F787DE848AE500AE8043B55D78BB5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.764{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34E94BBB9DCFAD39F29310B520857CF6,SHA256=583801D486A1F14839285A5ABD11F2064CCF20AFE56A6784A8B550E7FD8B4723,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.446{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000306588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.446{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.446{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000306586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.299{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.299{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.299{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.299{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.298{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.298{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.297{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000306571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000306554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000306550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000306545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.280{F6DB49F2-F5EB-6305-8905-000000007602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000306538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.277{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF769F00372B0CDA8B70E8A7CEF5B33,SHA256=089D6531BCC8FCFF26699E244A8559F80C39061F7C9AE02CAF1C2A1CB18D74F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.710{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54856-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 13241300x8000000000000000294879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:59.465{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x8000000000000000294878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:59.465{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ECEB3A25-E485-410F-A879-889ABA3F8BBA\Config SourceDWORD (0x00000001) 13241300x8000000000000000294877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:59.465{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ECEB3A25-E485-410F-A879-889ABA3F8BBA\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_ECEB3A25-E485-410F-A879-889ABA3F8BBA.XML 10341000x8000000000000000294876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:59.449{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:59.449{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:00.665{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780526F94341DF7E6679E5CBA097C4F2,SHA256=CA1DE6A0179258590A4D2B82F27022178D491540478E3E89E4D8B2FEEA8BF094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:00.516{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090299205A43FCEC6C60FD56F6A0D719,SHA256=7D6952735DB920C0B5133087510898500F5D7F56677D6CF228EFA0B5401BF395,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.928{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54857-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000294883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:00.303{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:00.303{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:00.303{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:01.770{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFB1C3EF8735D99600C9BB760E69FF9,SHA256=3FC5D11213C8F2ECA9B4DF8295D306F675D4B9588BFF5347535DAFD475C31A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:01.295{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAF86F5D871C859A546DCCBDBD8FE16,SHA256=116DE889BEAA495AF1806F25FDA236C68CB25DE626CF8C8A30FE036AF1EF7EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:59.895{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54858-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000294892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:01.386{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7231F646FF737958FB8E15C398FAB11F,SHA256=ADF10F1CBB5701BCAE07E1983A08A410D8FF8FD2D7AD28EA2D64B45BD373D8A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:01.305{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:01.304{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:01.134{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:01.134{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:01.134{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:58.913{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61331-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 354300x8000000000000000294885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:58.913{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61331-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 23542300x8000000000000000294896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:02.801{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6F79C4F50E8E4F13F976F7717517F6,SHA256=FB19C87E1F4FA6F7A5923F4B08A21D898B943B61F33861F51AEFE03DFAA7A461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:02.300{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6486B8F85618647C70D05CB9B64CCBB,SHA256=C124F8B706765BC972F18C5D183149AF7E27ED2C4CBFDE3B962FC50F50F20952,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:59.764{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61332-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000294894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:59.764{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61332-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000294899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:03.883{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517B06D7C9F1E347216E86DF16362DD3,SHA256=9B8607C54AD7A13C5ADFAAB4DBE36607B538DA6AAA3E45CCEA41A25AE48AC535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:03.399{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8C885B9B3827376FB003AF33C66BE8,SHA256=63709D875571399D5E87F24236FCC8A60DC3ABFA6112B2DFFAEB7E66A90FEA29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:00.595{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61333-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000294897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:00.594{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61333-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000306598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:04.500{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31436F02A9A3FE035E2F438FEEF5327B,SHA256=B6599EA79FF976B735742EB7489C8882990AC940BA377889CC423D0D7D9EA084,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.780{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.771{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.763{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.761{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.756{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.726{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.718{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.693{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.684{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.662{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.642{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.626{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.603{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.591{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.577{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.567{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.510{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:04.503{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000294900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:01.463{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61334-false10.0.1.12-8000- 354300x8000000000000000306597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:02.165{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54859-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:05.631{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1FE0FD880695DC00129F6AD67ADC09,SHA256=6AF040B680F9820C49B59E2E57C44AE58F9D1259091F60076B80FDF918AE84C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:05.228{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:05.226{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:05.223{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:05.220{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000294920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:05.218{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000294919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:05.093{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BC6F496BBEF4F37EDF4D22C1AFB6B8,SHA256=04114B8AE0B8797C2C9B044254719702BA5CAF94F877F16E9AEE940BF1E5D112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:06.698{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FF46681F0E415A4EEF74A7DBF56156,SHA256=CC4EF0A1DB8CD016BCFC5060A4A82C2F17D1EE4C9A67005275892DD512746BFD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.918{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000295026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.918{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.903{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000295024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.764{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.764{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.764{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.764{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.764{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.764{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.764{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.764{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.763{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.762{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.762{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.762{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.761{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.761{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.761{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.761{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.761{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000294999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000294998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.760{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000294997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.759{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000294996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.759{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000294995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.759{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000294994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.759{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000294993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.759{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000294992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.759{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000294991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.759{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000294990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.759{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000294989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.758{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000294988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.758{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000294987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.757{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000294986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.757{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000294985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.756{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000294984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.756{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000294983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.756{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.756{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.755{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.755{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.755{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.755{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.750{D25361F1-F5F2-6305-2B05-000000007502}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.333{D25361F1-F5F2-6305-2A05-000000007502}50365084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000294975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.333{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000294974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.333{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000294973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.184{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71ACF935E81B773C568C47A0285B53DD,SHA256=F7182751FDF3C39ABFD0313EE61FFFC0D2AA0694A738917963A9D7B3988372CA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000294972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.133{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000294971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.133{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000294970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.133{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000294969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.133{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000294968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000294967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000294966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000294965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000294964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000294963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000294962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000294961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000294960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000294959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000294958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000294957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000294956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000294955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000294954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000294953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000294952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000294951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000294950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.118{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000294949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000294948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000294947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000294946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000294945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000294944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000294943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000294942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000294941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000294940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000294939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000294938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000294937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000294936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000294935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000294934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000294933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000294932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000294931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.102{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.103{D25361F1-F5F2-6305-2A05-000000007502}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000306601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:04.876{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54861-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000306600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:04.350{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54860-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:07.818{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10182CCC45027CA34D7EAC47E4C5107C,SHA256=691F8592E0E9B9314DD64985D52561BE33EB66BD6C79601ACEEB611B9D1AD238,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.922{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.919{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.917{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.915{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.910{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.908{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.907{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.898{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.873{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.865{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.854{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.837{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.831{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.823{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.817{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.815{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.812{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.809{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.807{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.806{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.804{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.803{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000295093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.783{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564EBC04C24716E108625436D690DB33,SHA256=E87B8284D56F850C142654A1F716DC429111946649A8C9B07E339805C88870DA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.518{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000295091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.518{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.502{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000295089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.465{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB5263293DA1999E6397E9C171D563E9,SHA256=6B998F94F5A04BEA28DAFE5EF0BCDE102651DD3A7AF9209FFE8FDE061F78646C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.361{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.360{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.360{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 23542300x8000000000000000295084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643856300234BC9376695DCE616AF776,SHA256=7CAF5E60A7057226CFCD6F266E5022568DC58D7892715B3207DAF47A7FE4314D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000295078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.348{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000295056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000295054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000295052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000295051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 23542300x8000000000000000295050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63237BA7182CB0F9D6AB6AA8FE4E503,SHA256=726146D5FD9B6B0341F5CCDE5B09360AC90E9C8FC5C5F23667C56B1E58CAED84,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000295046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000295041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.334{D25361F1-F5F3-6305-2C05-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3B7648C3373E12ADA479B7C201B2BC97,SHA256=9E98BB94A3FCE973761A74745A65A031DEBC48977C521C9C83D305BB91978B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.332{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F434D2FE31BDDF758B31F478ABD2C444,SHA256=1FC3A89B0146909176948D6DCD570E09240E06AA593C814FDC5BE5378A24622A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.285{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.283{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.273{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.272{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000295028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.265{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000306605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:08.922{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2029D2DC9C661046F695EA2CC0919A9,SHA256=22CEF3668D3861E1AC8F32C1987003689C01986BA34F9BC6E3A4DE04F0E6B100,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.833{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000295218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.833{D25361F1-F5F4-6305-2E05-000000007502}66605492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.833{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.833{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000295215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.686{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.686{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.686{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.686{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.684{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.684{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.684{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.683{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000295180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000295175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.665{D25361F1-F5F4-6305-2E05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.402{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0459F5ED725C02A810A3BD7B9BC7C44E,SHA256=1B0D35260D799A00AECF9BEF11455BBD419FC00AD28FCA4A6E39657F78A06958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.402{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9408B6F212691CE4B5E0A4F121B2A2,SHA256=14E05DEC5FC9824E117F457B290580F36AD7D50CCE93133C8C4E79692AE0370A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:06.635{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54862-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000295166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.187{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000295165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.187{D25361F1-F5F3-6305-2D05-000000007502}51642160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.187{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.187{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000295162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.021{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.021{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.020{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.019{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.018{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.017{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.017{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.016{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.010{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.010{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.010{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.009{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.009{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.009{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.008{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.008{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.008{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.008{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.008{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.008{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.008{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.008{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.007{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.006{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.006{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.006{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000295127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.005{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.005{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.004{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.004{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.003{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000295122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.003{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.003{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.003{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.003{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.002{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:08.002{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:07.998{D25361F1-F5F3-6305-2D05-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.633{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDDBC4B507A3BDBA1F2B0663DC7EF8E,SHA256=40FF079C9CC467A6E76C72F1ADFBE0753FE8E9890B7771E543A08AFC171E88C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.618{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94394E1292FB7C7436E8393080E93CF,SHA256=B2DA71A8A4B8C29C3C5ED3FDF4EE4F15F9C92527E9955570D340364C7DDE05E9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.518{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000295271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.518{D25361F1-F5F5-6305-2F05-000000007502}9406848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.518{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.518{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000295268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.349{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.349{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.349{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.349{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.349{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.349{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.349{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.349{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000295234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000295232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000295227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.334{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.335{D25361F1-F5F5-6305-2F05-000000007502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:06.664{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61335-false10.0.1.12-8000- 23542300x8000000000000000295275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:10.618{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC198809BB083C5FAED0205502B2F5E,SHA256=97BDD2878784E034D44484CFBE39CCBAFC7C6021291003D99FC7DB69E208F293,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:08.935{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54863-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:09.999{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF38561C9494B8E140C1B130B3562EE,SHA256=123FE0E8C451EC8439DB54967471AE964506591F02087E71460E718294AF0629,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.733{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000295327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.733{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.733{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000306608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:11.033{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44D1AE2038AF5EB54D2B1EA73B937EC,SHA256=3743D3637A681B513328858B3B4E42986A2078645DA2F684CBBADF8CCAD76925,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.581{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.581{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.580{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000295312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.564{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000295293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000295289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000295284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.549{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:11.550{D25361F1-F5F7-6305-3005-000000007502}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.011{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61336-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000295276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:09.011{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61336-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000295331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:12.882{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC21C61573122A112CD2CE73C213225,SHA256=1D37F4F25A8C0E6BBE1F921194BAD5D7A1C433F18A7D2387134930BE7C107868,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:11.135{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54865-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000306610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:10.046{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54864-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000306609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:12.179{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A879CE6871A7A4DBE92A749F7D48BC04,SHA256=2808331C9AD16DB44C15170898161C2A6B09ED603EE8267FFF03CDCBA21F106F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:12.617{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D54785FB585C36CC825B7732213CF6AF,SHA256=A5EA008E8CF24BD1D3B9EA404EB2B9CC17147BEF52CBB03C40FA935BD928B27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:12.102{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8873762DEBFA631684A2F1E8D62661,SHA256=511ECF177FBEA1CABB8CB5920159FBF46585FEE50A6D5373B3D06FCE9EFB42E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:13.301{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92F5B60F27D126483DFC28C3952A461,SHA256=643C549ACD6279DB7871ED1F857311A0D525DE753A3A4332760FAC1B529FAF85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:12.540{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61337-false10.0.1.12-8000- 23542300x8000000000000000295332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:14.000{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9082051AD24E850500317C396C7D2DE3,SHA256=8A4AEA9822847CAFBDEB9CBE8B905C877D99181633C2213AAB749BF3F11254C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:14.416{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2E2A8C76B3CF42CC7922AC5460F1A6,SHA256=8B102B0485D8005F85793A10AC5C19A08AC81EE278A38F7DEE44FC23B5D10572,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.991{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.987{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.970{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.960{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.958{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 11241100x8000000000000000306618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.796{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\AlternateServices-1.txt2022-08-24 09:57:15.795 23542300x8000000000000000306617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.796{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000306616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.795{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\AlternateServices-1.txt2022-08-24 09:57:15.795 354300x8000000000000000306615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:13.334{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54866-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.517{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D27A19ACF5D29BB44F93A1B589E9BAC,SHA256=1134AC66A59F2D509229712F12473D2B33F5D766715776D506FFF6F1DD9AAF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:15.146{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5AC27AC71978BBB2864BCF67360E1F,SHA256=EB891FAE62748A450B44929B6D8286AE7E70A67DC62D4107761D1DD13E241A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.718{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A4A3FB2195A4E3D40E124274C1E6D2,SHA256=B6EA184467A5D06B4C447220B8EE0C136F49D01C61898DD6B303819C7181C26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.718{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA16E02A82138D9D560C3993FD20514A,SHA256=367C0C75FBE54FE20540A29D292298362AF1F845BD5734E569C495144C39A27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:16.261{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C6CF47DB811BF6076385A7B220ECCF,SHA256=E05B88DA2096B12AC0DF5065CE0C71471CC2877CF2603E703C264FB53491B4EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.344{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.343{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.340{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.334{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.332{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.327{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.325{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.320{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.317{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.313{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.310{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.305{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.303{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.292{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.271{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.270{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.268{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.268{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.266{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.266{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.253{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.241{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.209{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.200{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.187{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.180{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.176{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.172{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.168{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.165{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.159{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.151{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.149{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.147{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.140{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.134{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.131{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.125{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.112{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.107{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.084{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.073{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.065{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.058{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.050{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.039{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.010{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000306624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:16.005{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000306678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:17.849{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647B15C5345D2C5D92AB9BAFBC7F5352,SHA256=62D58BA48E7D44497BB883D75B126F79E8AE956F1723EC897F3DFDE8A0748A2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.963{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54868-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000306676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:15.612{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54867-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000295336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:17.361{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D29505B740566A9BBEA9239B14558363,SHA256=A35AFB37C46E017BE9D2516866A01B824C0045C144A023895DD3B99D61AC10FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:18.479{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2538286CF48BCB343B58FC162533EAF,SHA256=65F4BF636355146AB60F7E1E57995FFD16D7CB51464916E243FCD77563CE8962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:18.849{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E360386552D616C37F28A1F6441CB24,SHA256=3FE01CCCB267AEC3155FC1E628AB4F0080AAF11D2C10582DAA10E1C3D60D0AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:19.628{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28834B8E10DC0315EC4B4BC0288FF0AE,SHA256=8A0B5C293F33D49A5B60F872B0853DDAE3C695EC5C2317694A305A5AD28FE652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:19.948{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB697C49074C27F179682B7AB7742F97,SHA256=4B9C7B3630867EC3542A244325796C5994C16D2F6C845A48BD7792623415D84D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:17.575{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61338-false10.0.1.12-8000- 354300x8000000000000000306680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:17.936{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54869-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000295341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:20.776{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCED877775A4BB850885FA2AB8C55C43,SHA256=B27712B4118E2513FECCFB7FF9AD8C93B9295DAC58E280C30318AEE3B1BDE84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:20.281{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:21.896{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2E91BFDAACC7E768C6B8744CF47572,SHA256=3EF8204B1C1B52C694A322B156FFD3F1D42248ED76BFC653E85C02C5987F4847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:21.033{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8779CBD21AAE13D8D0C6F92594CAD5,SHA256=6989A6926D55D2D7532F8C2D41925B65FD8990D8BC883DE4EFE62BEDB769DD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:22.926{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B9FC65E1D59F387B1F5A841FDF31DE,SHA256=007277B4D83B580DFF13835E6C93674EE343A1B721A861E15089C976A6217E2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:20.967{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54871-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000306684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:20.215{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54870-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:22.149{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3517D9A89F28C3DD7B0E98C326D5444,SHA256=BA8D57E40E0627A01D928E1F205E14690AEF4E1F908FA5FD6D4A629E1CEE17AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:19.720{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61339-false10.0.1.12-8089- 23542300x8000000000000000306686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:23.251{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B561B663E16CA4AE95C0D705BF1183,SHA256=A7736AF2A81D82CC9588A12DF3B1A1F057417EF5B0AE60A32BDBB85595B70C87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:22.399{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54872-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:24.282{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2EFEA6D8733F2A4D1AC912B1F43BBC,SHA256=68BE8120AC2630B96D00A14379F69A408145474B2470911DAE1F7307FFF8E18E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.705{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.698{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.693{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.688{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.686{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.659{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.653{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.638{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.631{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.619{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.608{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.593{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.582{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.571{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.562{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.551{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.498{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.495{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000295345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:24.042{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53752922FE411C3CAC14A050CB6134E,SHA256=83852084F1F744D240A42688C64AE04D36AFB13A0E830C5D7127A022CADF46F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:22.587{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61340-false10.0.1.12-8000- 10341000x8000000000000000295369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:25.131{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:25.129{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:25.126{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:25.122{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:25.120{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000295364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:25.092{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB35F650698476BA6867A01A55D35E7,SHA256=C8FEF93A745E45EF1753465A4E8C5603D065071FF40AC3B3B33BF4683CC9DFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:25.897{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A8D386B789640A7C9FE18C6B2FFBEC0E,SHA256=08172165B6DC1B772FD09AF9275DFC3FCB3738B96914056678FEE76A3041E0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:25.299{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349D81B153582320735260DE46529848,SHA256=99A2B805D3745F514899BEA9B05E5D347A1658DE1BC619A22A1118CAB29CBFB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.786{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.786{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.786{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.781{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000295377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.780{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000295376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.778{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000295375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000295374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.776{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000295373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.775{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000295372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.773{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:26.396{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD4718BB057B5E6A053944C7BD0925C,SHA256=357FEEB367532BA435C9C46C47EAC243F2793F566375D170DF4CD2B1A99665AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:24.583{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54873-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:26.334{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E1D181AC93FBE7FB0E2FA014DF81B8,SHA256=C42D3C50636DC26BC36019F23204D5AE9B017C4B77DB7319C9BCF5AD2F2CD4B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.861{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.854{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.848{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.841{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.838{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.834{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.831{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.823{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.800{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.790{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.785{D25361F1-D01B-6305-0D00-000000007502}8841336C:\Windows\system32\svchost.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.775{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.755{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.745{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.736{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.731{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.729{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.726{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.723{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.720{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.719{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.716{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.714{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000295387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.527{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75334A1998709F0AD23BA66EEAFD618D,SHA256=9CDD3CAB8A0098F773B4FB8496971CE61ACABCD4ACEC3F3840875ECB1BDA48E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:26.014{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54874-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000306693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:27.448{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6B5E389A3D232B5B687C8B6F0F0892,SHA256=D4A24D8EBC87016057F56FE132FC979FAF9EBCEC96138CDB8DE58E97B82C9EA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.196{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.195{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.184{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.182{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:27.174{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000295411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:28.612{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DADFB8AE411A808F2EB4CCDF0C2B95E,SHA256=7518313E92E661941BA8643C35C21FC899E9A7B6F1905F728071C565ADC02CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:26.867{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54875-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:28.580{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5A2DA7E3B358A3D19E6232CFFC9DF4,SHA256=D1794A5DFE2A4A97670FCDCFC667193ED50A1F5D5B14B3233A043400782A59C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:28.017{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:28.017{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=BE32DA46A8EBBAA8A47A69427B487FE6,SHA256=8DAC1AF24EADBF197DF9FCFECA30BC4C181B42590BB1B15E0D29C20FCB4B5E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:29.743{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730CF805802B6296224D8D7F5A5296E2,SHA256=76AE78DEEACF10B157B63C4E21799BB9F2B7B88357CDF2C95A923605916A7355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:29.679{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1FD273A053DADD5FAE962EB3825BDF,SHA256=77F5A70E3AA694CC4E9405E503F4178015180D88A0CFAB6A1BA43518943585C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:30.875{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBEE8474A1D2128D74B48AB005C9BE5,SHA256=4333A80C8CE4EA89FA76AAF1F0512B48B92D6419BAC61156A68C717C25EF09FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:29.149{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54876-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:30.696{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4988745E250C8576133AE4E544BC75AC,SHA256=2E09D082D3149F7BB34D2D13FE2E0961CE10095394988A2C4B073159A8108297,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:28.520{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61341-false10.0.1.12-8000- 23542300x8000000000000000306702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:31.797{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B387314589A1285A93424E6412AFD0E7,SHA256=BC45A8C0DD1A5336AF2D455B9B081402D7A24C79ABF2F02A26A4B1695FC172B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:32.802{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A431EF01DBF99823DBB42A7402EDBD41,SHA256=4F3DA9F1B1EF6E294653F2244726592A1EA9DEAD3C3F6EF0E23041972291A6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:32.011{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6FE78350DC10DDCE1A947EF3F3BE09,SHA256=DDF919FD214F965CEE2F091502CDDEF41130BD255AA4E731AC9C9DA4C69C6E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:33.937{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C49D40B0C60D3F0D802ACA5987E093,SHA256=0ED0FE42B47EF6019BBA325B878AC0F2A5B2F7F13BA41016A0EDD77B36561D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:33.142{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AACCED8C2AA1CD1118E308EAD05CE3C,SHA256=804C2F5B8BDE67A9BF15F06BFAEBE81597B8F89C132D934631AC7C92633E3640,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:31.349{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54877-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000295418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:34.840{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=F3D9D5A87029A2CD985E83D9CCE0329E,SHA256=FC866D0A47063752D5E9A41B35267CC1EF6828DD8791A107D84744DFC8F2BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:34.173{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097D579C7D1E7B20CDB08FA0A523C9BA,SHA256=21FE096DE40EBC81ADF1E69532192A86A3FC2FBCC9FEA93A0F03CD578B58DAE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:32.000{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54878-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000295420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:33.617{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61342-false10.0.1.12-8000- 23542300x8000000000000000295419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:35.274{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8349B4816027296A1123C23F2167E01,SHA256=8F269A8AA925055C41569FB6461B1A97CA5A831CFB3A24DC4BE950F97F0FA247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:35.982{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:35.980{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 354300x8000000000000000306708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:33.617{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54879-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:35.068{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6484C5D027A7E2E81D95063012F70D,SHA256=0931A9A67D0E46C18D11F976826B78C70B9C036DC441537C385FDA448DC9F53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:36.407{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEF23F00958C82B9CD4101D8DCB0BB4,SHA256=DD704CF8B36729D22DE5D98C8E2949795039264C7A6D04E39FA03E32CE76B10C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.607{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.606{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.605{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.601{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.598{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.594{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.591{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.588{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.585{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.583{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.580{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.577{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.575{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.566{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.551{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.549{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.547{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.547{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.546{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.546{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.535{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.525{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.502{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.491{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.483{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.478{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.472{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.467{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.464{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.450{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.447{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.431{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.428{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.426{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.420{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.410{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.397{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.384{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.374{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.366{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.350{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.346{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.316{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.296{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.272{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.253{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.228{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.178{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000306716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.169{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14526ABEEE87E73E051AA181A569EDA8,SHA256=E20A0A8E5C176E146C458E9466AF93829C8E92A613F3C526F9E310FFCC457298,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.084{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.066{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.047{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.027{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:36.002{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000295423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:37.722{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EEF253FA83BE14C5585D7B223EB53383,SHA256=B43F16D51A25B6A01990DFCDB3C2AAFFF785685986CBB2BE97980086C20CB18B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:37.554{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E89C9EBA2C601552A710A94F09190D3,SHA256=618F656D642B6148B9F689F7445F5DA318A61272F46825F63615C62BE4035BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:35.805{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54880-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:37.301{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC832595618E8CACF599D356313B53B,SHA256=5102416E1F7254FD27DBEB24EFB5952D9ADD4D5A6F0C5DF938F50C22A8B7CFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:38.672{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A0524416ED8ED44A80D4B3354F3CC2,SHA256=861F88C7BFA500AAEE5A7B8C04BAE961C41550C6F0C8BEA97E0AF8265ED3D723,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:37.034{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54881-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000306774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:38.406{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CB981907B559491B20C2CA56EF07EA,SHA256=96923B4F25870CAF71BC8AD2AB587E323083A9926C74499706C296B8E837C190,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:38.312{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000306772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:38.312{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000306771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:38.310{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000306770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:38.306{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000306769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:38.306{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000306768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:38.306{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000306767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:38.306{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:39.705{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FAF2B09BF4A726636B29C1C6CDB691,SHA256=9CAFFF64D04734232B6BB3672180FAD83C93E86A3CD8A8AB3DAEE713E336AB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:39.405{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B3E4FBA08D8981E31059176699E0DB,SHA256=05E006795E83AE56A81DB59D834AEE225A0F839D7270F3B0A8D7551B1FA76CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:40.851{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709D3876110BCB769992483D95699022,SHA256=3BEA8B1F72EAAE6CFF91092CAD0C4A3B4244E17AEDCE29D0C6A7591E4A00B634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:40.538{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3965DE082884E8567963AFBE88DFBC7C,SHA256=D98949A7EA3061855EC461B3F35EC02E5A65F54E12D0EC472AF1BD3D22A9DD08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:38.087{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54882-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000295429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:41.936{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2946C7292AB792BF0EF9C5B7DFBDED,SHA256=FACB6E3F73B7EE50C279FFAB2C84BF1DA6CDE006DDA0D25995BE6922B2F32B26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:39.566{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61343-false10.0.1.12-8000- 23542300x8000000000000000306779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:41.668{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2969ABA3257F11439CFCEDAA04F1B3,SHA256=C9281C07F1B23863D5B2E1041F048077DFF745B3F9B7AB3C701E7E7247C30825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:41.385{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=69EBB2C20992C3CAD112DAFAEF083F08,SHA256=502C43991001C8218E5F335338A761F1674C6EDAB3369DB906303C69076F26E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:42.968{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3420E41490D507E0B4356FD046DFA682,SHA256=DAFE5C386F4B554F1AF0118314A69102252C1F71822F83E95FBAB2792B335BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:42.768{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBC710C1A9800EB36CB4C928B22B028,SHA256=4005E8EFFE24254CDA29A48799C28134F133810575310B20EE83C3D937166019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:42.721{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CC358A5A650D4E271E77776E09FDBF29,SHA256=0BFCDCCBEE765806CC2E182E90F4922BFDE5600348D1B5B11C7DD837D1070383,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:40.371{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54883-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:43.903{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:43.752{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7930520E06F2792D2C0358E4DF22352,SHA256=64389AD51A61605D0FF925C46BCBF7938C75F85AC995B4AD4D771EA77BF04929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:44.851{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBBAA79BBB9B77386E61FCA16DBFE5F,SHA256=646E0A8829EB1C7963A7F94BC533E8BDAF98A7BCDA4536CF26A276A4604DD198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.647{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.641{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.639{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.637{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.635{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.613{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.607{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.596{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.591{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.585{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.577{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.565{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.552{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.545{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.538{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.529{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.482{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.477{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000295431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:44.051{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D987E60DD8BF0EB2FC799A9B333E3E,SHA256=75901F8C32242CC17EA796FFF213C3AC6DD64839063975CCB2B1855241CD4583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:44.438{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-157MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:42.570{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54884-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:45.985{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BAF176598157A28E92BE0DBB0BCB82,SHA256=AFEEF64E388B0AD201C3115BD50AF83AECE273E41C3A25E6DEA467FBA0DAF910,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:45.095{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:45.093{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:45.090{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:45.085{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:45.081{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000295450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:45.078{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE527B8CB6D5DC6A0A5DAB0370BA954A,SHA256=B540F1EE015D3C9BA7D62473128568B87CBEB612992FB5440D9E427E88E10B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:45.452{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:42.933{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54885-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000306790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:45.036{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:45.036{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:45.036{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:46.154{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC0D3E34DF6E2FD32DAFE01D4263859,SHA256=CD168DB47AC002008FEF8E2F51E8E2FE2FDD436142F4534134706C1472D32CC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:43.680{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54886-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000306796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:44.868{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54887-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:47.067{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2963E2C114E3A18CE2B19F492769F524,SHA256=A721FEA4470B2682D54A2B606E908389249A4A77272B7852DA0AB5225B4353B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.895{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39203871078D918DCF9FED3F03391B45,SHA256=CFFC333850155E6297DA5671B42A2BB11AA70BD90CC4B81EFA4BF820E596DB9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.786{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.784{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.783{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.781{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.779{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.776{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.773{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.771{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.763{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.746{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.739{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.729{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.709{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.700{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.691{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.685{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.683{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.680{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.678{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.674{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.672{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.669{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.667{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000295462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.188{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB56CE7163EC7B13385477CAB3F9387,SHA256=8C1966E96AAD2B1FBEC6AC336A974BB46B1B7D740D61D8ACA3B5A7A2B31D0BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.159{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.157{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.146{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.141{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000295457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:47.135{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000295515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:48.404{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D576046F64B83A55BFCCA37453C173E,SHA256=A46E1771D1A8C2BEA4DC46C09116250F4118DF39E119BBE16798868615A98ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:48.100{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF0B6572077A707E38A4F0FC3C8DFEE,SHA256=CB4EC5A6FA23258EE3543E9255CAD71CA51BAE1AB3003B6F495598D0580533D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:45.481{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61344-false10.0.1.12-8000- 23542300x8000000000000000295516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:49.618{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BC691ABBB14A1183A0D1C0F81F2DE3,SHA256=34A572A1D5369043F930E84C1FE1302E815A141165A7D9A6DEB859F7633A6B37,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000306829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.653{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\LastTaskOperationHandleDWORD (0x00000005) 23542300x8000000000000000306828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.638{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002D4.logMD5=6E209A003BAEE964D39B4206CA40AB01,SHA256=091276881782A41BAF3BFE9B38F579A375FDD94C2300F7E175A17518C4A2F7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.622{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002D3.logMD5=56F45529E7B52CC75578EC0DE0289F48,SHA256=644E8783EC1905FC855A3650C0A605489A3754BCFB5AB2F9E8C1FF27F3D532B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.605{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002D2.logMD5=37EAB3B6C897F049EFDB2AA0EA101565,SHA256=9495639583BDEDEB776B3A08BF413FD0B78FD51CC70B45C9D144E15D8E9CF812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.585{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002D1.logMD5=62CB14C28EE2C28F9CF1340AA9DE205F,SHA256=158B00751B1B725A0CB13A7ADB453CB54F94CCC71A489164E7799966E75185ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.554{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002D0.logMD5=DD1C0E200CDB1122BF4D02B19482940A,SHA256=BD4E74BECFED7009AC3EC6AEC95EF8F1B3C50C6172211ACCBF911543A13C764C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.538{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002CF.logMD5=7AAD08F0B74693D4C588C60A8C2FACA0,SHA256=8CA09AB8B9214167C01D890CAA8D117560092960D8ADF438E853121B5E39D963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.522{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002CE.logMD5=5DE13F82AF498A59B1D837ECD1BCC0CA,SHA256=2D081D5F1A29EDE608A4201CBAE23A71988C55F7DB5EB1C2575A0F84C0153BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.504{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002CD.logMD5=6455561416E68C7A2EE4541682BEA3D0,SHA256=375D9C4FDE52BA10F20CCCA0D244010D043BBFE5C4A2553969C2C03D0F4A668F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.469{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002CC.logMD5=CBECAEA25D6089F974D2C90E72E4C354,SHA256=B32680DE39F3AAAA5FFB0B80EA646021585A27118EF84E9019C824D37B6EA24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.454{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002CB.logMD5=3861DD90D6678E1A8FD33B43D03B6C08,SHA256=679C650DB90865989B2B812B5F8BB6887DB4DD1A2D60D441FE756B4206FC6A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.438{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002CA.logMD5=8CFCEE0B4021318DB99E8D7DA466EE11,SHA256=30D4190BAD0356D483C4FFDD0FD2B1423090B9A0A30F90D480E088A6BA6367FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.407{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002C9.logMD5=C76EE443D14D75B29EBD1B9BB1CFC1BC,SHA256=8AF6BB8466C629934D7E44B8777424160B4C1C507859C4CB1FAA7A5720DC72F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.385{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002C8.logMD5=B2E37CA8C77689E469E5F741A3AE51B5,SHA256=535585CBC118C5A9E0EA62BD2A91E0E74D1C31DE2CC75093DE6D39317AD61BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.369{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002C7.logMD5=0990868DFF975F7341FF314FFE296D7A,SHA256=C3FE9D66464D9C0E23A5E4C734588CF926DF36E35B7703C9D281893BAC508777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.353{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002C6.logMD5=531E44599AFF9CC4CD7CAA64D8F0879B,SHA256=B05E58B173EA64D8E96929200B36B26B8B09AD0D0A2CFD8C9C6F47285AABA3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.322{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002C5.logMD5=47F8E9A55BFCBB2D1C9759BBBD00D452,SHA256=1B21108A89B78A36B2CF627092478B3C6A63F99CA901DD656AA0B034BE694314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.306{F6DB49F2-D01D-6305-1000-000000007602}924NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb002C4.logMD5=2838FD993CAE2FA581BDB2334FBD1749,SHA256=9FE05E914EA0F7BD5EE9F18CAC845C4C88BCA149F7EB9BEE7D9FB9FC218BE56F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:47.137{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54888-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000306810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\System32\svchost.exeC:\Windows\System32\taskschd.dll10.0.14393.4651 (rs1_release.210911-1554)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=5FE3004A4C13FBC1B67CA879BB23800B,SHA256=120A7B49788154395D02C920D9F699EC944784C5162D9CDF8AFD8C927A26B1D1,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 10341000x8000000000000000306809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.237{F6DB49F2-D01D-6305-1600-000000007602}12002596C:\Windows\System32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000306808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C00E74E4-05C1-4AB8-95C6-B9EC340102C7}\ActionsBinary Data 13241300x8000000000000000306807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C00E74E4-05C1-4AB8-95C6-B9EC340102C7}\TriggersBinary Data 13241300x8000000000000000306806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C00E74E4-05C1-4AB8-95C6-B9EC340102C7}\URI\Microsoft\Windows\WindowsUpdate\Scheduled Start 13241300x8000000000000000306805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C00E74E4-05C1-4AB8-95C6-B9EC340102C7}\DescriptionThis task is used to start the Windows Update service when needed to perform scheduled operations such as scans. 13241300x8000000000000000306804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C00E74E4-05C1-4AB8-95C6-B9EC340102C7}\AuthorMicrosoft Corporation. 13241300x8000000000000000306803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C00E74E4-05C1-4AB8-95C6-B9EC340102C7}\SourceMicrosoft Corporation. 12241200x8000000000000000306802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C00E74E4-05C1-4AB8-95C6-B9EC340102C7}\SecurityDescriptor 13241300x8000000000000000306801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C00E74E4-05C1-4AB8-95C6-B9EC340102C7}\SchemaDWORD (0x00010004) 13241300x8000000000000000306800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C00E74E4-05C1-4AB8-95C6-B9EC340102C7}\HashBinary Data 13241300x8000000000000000306799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:57:49.222{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled Start\IndexDWORD (0x00000003) 23542300x8000000000000000306798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.201{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8662C62EAADAD9B36F1CFADA4156F1F4,SHA256=28C0F1D0C94A7D448787D3883F5CDDDEE71864B0272133D4692C12BBA868B8B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:50.749{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A9CE3DA9A15DBBF0F4B8AC4E8BD6A5,SHA256=FF5F6A9226E51E135D26D074B1EFF659A991D5ECF6212D60DCAA461A8B9369E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:50.759{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8D0B975E5A434610E63A68E2849F9E2D,SHA256=EF88CAFA2019FE7B7061B883BB25B5FABBAB42CA6733B5204E6F33F407DBF765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:50.291{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373A538FA93DAD7E75CA64A74F2FF8EF,SHA256=D9D0B71F6C0DB2F5168DF8397B0A0E56EE56A95FA36B3CA31B50014C1FDDB170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:51.886{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F553548845A72C78FB8539E334AEFAB,SHA256=134568FC0AA44DB22D1A66ECB95359DE827C1289F08BC5396D047FCD52893251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:51.374{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF1E30C05B070C5DA6BC9CA54D10614,SHA256=3A53EE89BE0CF86E99C41D48660B74EDA4026EC4EC9DB5D7EB98DC349AB8B971,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:49.322{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54890-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000306832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:48.847{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54889-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000295519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:48.643{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A62747- 354300x8000000000000000295518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:48.641{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52734- 23542300x8000000000000000306835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:52.374{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE28CA1C89B958B4B8198F51F7A24155,SHA256=7E51242F55CE2E3EC5174B25671710B64D4656056731565671F84D62D603966C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.878{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FCC1511A36850AA39854FD478885D8FF,SHA256=8C3C5DE6113C83F5B80DACD7B2383269409195EA5105DF764B95502F6A9DD65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.609{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764E629A1E4599ACE5571C768772B798,SHA256=94AFEB2768A98A942BAB1DD31352C1802D4C17B1826ADD31B030FE0DD18B788E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:51.608{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54891-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000295522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:50.648{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61345-false10.0.1.12-8000- 23542300x8000000000000000295521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:53.016{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF72724838B9B336C1CE0DC84109C776,SHA256=935999178DF8463DCDBB5BA2E37C0FACC45A42ACC47F5D193412A784B9A6EB44,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.342{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000306885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.342{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.342{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000306883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.175{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.175{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.175{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.175{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.159{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.159{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.159{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.159{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.159{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.159{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.159{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.159{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.159{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000306848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000306847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000306842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.144{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.145{F6DB49F2-F621-6305-8A05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000306891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:54.511{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA18682874E5B1F22F675991E5EBA1B9,SHA256=894C55A2735CD5912A0734B33CDCFD43100B6BD99F7712507A98A9B55C2EE643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:54.047{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65968CECE3EEF8929F276F56AB03A3A0,SHA256=7763E6A28CA29FD8F710D3E59BC29BEE9587C3341371D8824E1261164D91F361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:54.261{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0536B0C078CA46E668FBADCACE2D2226,SHA256=6CF17318B23A33FC8F1D2CAF8E465070407E49C40C6EDBB15892787CE5D37F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:55.150{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCCD599C4579579456DD8D3314F586A,SHA256=C66CE1BC9F88AA2B8F35B3E77467FEBCAD999349681E2874F0BD5646F906F91E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.991{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.983{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.971{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.959{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.952{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.949{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000306945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.745{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5028C51F0E9938C954DE78254A52D263,SHA256=5DF92A40B6A95E119249CA4F0792FF8C0E4DE02716A6FEAEB9EA6CBF4F790A69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.514{F6DB49F2-F623-6305-8B05-000000007602}35085020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.514{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.514{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000306941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:53.878{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54892-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000306940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000306931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.345{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000306916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000306904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000306901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000306899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000306895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.330{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.331{F6DB49F2-F623-6305-8B05-000000007602}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000306892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.230{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8D54B4AFF0C56656850552A1B30D8686,SHA256=9858B7B8BE35E96EA030AB967AC60DDB8390383A34318E1C610F3BC4A62E9384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.861{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B26B9F29155EF4AAC250F54EC58EE7,SHA256=6E4CC454F787340F0CD408E08505FB9C494E6F4914A75A545A437FC7192C81CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:56.937{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:56.937{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:56.937{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:56.235{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB12BA96AEC4E177EEB1B7AABCE255A5,SHA256=73193878CCFD777F1FBB430A224A5550C7288627BCFDD092E6BAE1D3C59FDB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.525{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3215AFAEAD71AC00B34C07ACFC7FB4,SHA256=822FFBA93CD09835D044F4C85DB8BA905D386861DEA8C64492743D47A008066C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.463{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000295525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:56.091{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-157MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.462{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.461{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.457{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.454{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.451{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.448{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.445{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.441{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.438{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.435{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.432{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.429{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.419{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.401{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.399{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.396{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.396{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.394{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.394{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000307036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.392{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3111E8EB22A2FF849CD407672CDFC2E,SHA256=374FF362ECB6554EEDDB55F92462D497B768604AEF3117A95DF0AB8BE718C5A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.376{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.364{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.336{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.329{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.321{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.316{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.314{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.312{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000307027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.192{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000307026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.192{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.192{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000307024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.130{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.127{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.124{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.121{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.119{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.116{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.114{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.109{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.106{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.102{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.095{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.090{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.077{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.068{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.062{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.054{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.044{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.032{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000307004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.029{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.029{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.028{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.027{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.026{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.025{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.024{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.024{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.007{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000306995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.007{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.007{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.006{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.006{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.006{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.005{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.005{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.005{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.005{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.005{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.004{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.004{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.004{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.004{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000306973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000306971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000306970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000306968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000306967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.001{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000306964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.000{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.999{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.999{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000306961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.999{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.999{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000306959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.999{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.996{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.996{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000306956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.995{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.995{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.995{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.994{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:55.990{F6DB49F2-F623-6305-8C05-000000007602}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:57.322{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED3B426DA828F62A54892CB4B429519,SHA256=D655B56A320C8966B002AE0F03A1F838AF62118CDE91D99544EFBCEC4EB1D98D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.715{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000307110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.715{F6DB49F2-F625-6305-8D05-000000007602}55842012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.692{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.692{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000307107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.514{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.514{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.514{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.514{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.514{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.514{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.514{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.514{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000307099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.508{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 354300x8000000000000000307096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:54.826{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54893-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000307095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000307086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000307071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000307070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000307065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.492{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:57.493{F6DB49F2-F625-6305-8D05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:57.091{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:58.343{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0F391B5C7C57AB8187884BB434F1F5,SHA256=1CB9375A3E068B7A8A21E518D8BBF79263118C19536A1DE735409A1FFC9DCF74,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.981{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000307215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.980{F6DB49F2-F626-6305-8F05-000000007602}7563124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.980{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.979{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000307212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.912{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE74485D967EA8A4BD51DA326C304EC3,SHA256=20D7A33A986EA6DFCB22B994FF190C7A2D2201A3DCE7CD7713320DD9C29AD0B6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.813{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.811{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.811{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.809{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000307203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000307192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.792{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000307176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000307171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.777{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.778{F6DB49F2-F626-6305-8F05-000000007602}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000307164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.345{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000307163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.345{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.345{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000307161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:56.063{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54894-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000307160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.177{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.177{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.177{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.177{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.177{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.177{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.177{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x8000000000000000307153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.177{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1718821DD19B8A1DB16EE0A28F58E0F6,SHA256=B6A74A9437C83BD81BFC0B4C3D21718F26AF2094977D89D02DE4BA85ADAFDDBD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000307145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000307127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000307123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000307118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.161{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.162{F6DB49F2-F626-6305-8E05-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000307269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.861{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15441DD4CE0B7E8595F39880246D05C,SHA256=847C5C3AE810535C83275B2F188B952A30F3C6D95D198A9EF43BEB3B5C7701A0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.630{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000307267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.630{F6DB49F2-F627-6305-9005-000000007602}28768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.630{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.630{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000307264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.461{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.461{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.461{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.461{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.461{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.461{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.461{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.461{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000307256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000307247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 23542300x8000000000000000307229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E47BFF569087298DD5922CBAD42C99,SHA256=3A111A729200F69D1EAC82A10F1413E9D968E6FAB604C453868195C830C67011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000307223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.445{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.446{F6DB49F2-F627-6305-9005-000000007602}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:59.370{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB789B54EE4C7CFDC93E7CF70509A91,SHA256=05AB3594F17B912DD8CFDB93F786C4B0B3F0E2A38BA95BE82411FD634EE7800C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:57:56.582{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61346-false10.0.1.12-8000- 23542300x8000000000000000307271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:00.629{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832B076C1D27B943CE31CD007489D899,SHA256=33B98C948402D30F29D357E4CD0B126D92616CB0DDEE9FADA771CCEE18D36D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:00.372{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB86D22A6279A864C10830C7BB6CC652,SHA256=EFC6F0F921E435EC3FB6655A8CA8F8DCBAE4C2E03C3C4A3C3B46B02CA176F05F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:58.262{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54895-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000307273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:01.694{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6F3E15227CE6CAA416F29A9604D497,SHA256=16B1096D23BDA59A03020B3C92BCA23CF3894D97A8FF0DE0BD7B743B6AD9ACE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:01.395{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2D3CC009EBDA692735878099984694,SHA256=C71EDC2EA10DF2D72E2E3D8A0498596DCD56483762FD9D47C2B36903277C6B8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:57:59.857{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54896-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000307275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:02.812{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F5CFA2D06D22ADBC451BE0F98DD5CD,SHA256=7D109387F6E907986ECB36C0CF0E3E3F4E532CAE97A7F329C970F964E6E59C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:02.519{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CBD9B9DC3AD9BE5DB18912F9CE594F7,SHA256=5B7E977347859C60B41A6DF7C6A9BA169735C252B7CE7CC7457E84C415A6C21D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:00.462{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54897-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000307276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:03.911{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C98350FDA8FE95A81DDA445B39CE36,SHA256=1221CE6BD22C5C38BAD8D6C13359935F3212C61FCF8618756FFAE4F72DC5BFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:03.649{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442D9EFD57D044915E1DEE96CA3C460B,SHA256=E3A947311DBAF157A7B76A28B2FD3F06146AC574E640C913DFDD538221FE57C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:04.947{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116096EEF7E2A2535BBC77F218D25768,SHA256=97EE015BD338D194081DC5F155265E15F84AB9284C992F2761AF4853F5321C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.758{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB93C37AF8E18A8314F4B3652F40AAC2,SHA256=4B9E0AAD8DFD70B5A272BE9366DD8AAE1CB0850D57557282A7C707D5124B9234,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.709{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.697{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.693{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.691{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.687{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 354300x8000000000000000307277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:02.650{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54898-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000295551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.646{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.637{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.626{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.621{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.615{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.606{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.598{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.588{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.580{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.572{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.552{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.497{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:04.487{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000307279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:05.964{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7193739A2C482EAA5C7E478FF96E23DA,SHA256=815E4FD73A9ECF08126CC1B31CEF7EEFB69D54CDAF088246FA0E2D1D5D08DC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:05.704{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F37D5805240DEA9915662A7E8160E8B,SHA256=613A9115A4B4AC843B768A27EE50056F4FA99FE31857E9B057EF011416140CE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:02.610{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61347-false10.0.1.12-8000- 10341000x8000000000000000295562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:05.274{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:05.272{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:05.269{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:05.266{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:05.264{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.967{D25361F1-F62E-6305-3205-000000007502}64961836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.967{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.951{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000295669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.872{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2844B82DACDE8E0214AD4663A1BA2A7F,SHA256=C05C7BAB2B5A36B386699EF9A215CA2F07B7373E22AADE0E8F267832C209DE67,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.788{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.788{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.788{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.788{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.788{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.788{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.788{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.788{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.788{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000295659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000295644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000295632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000295627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.772{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.771{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.771{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.771{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.771{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.767{D25361F1-F62E-6305-3205-000000007502}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.605{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C87F78EDDCC87746E2CF55EB8E1FAF3D,SHA256=694B13FCFF8238B330A675E8FD3B5D7A4202064B9A3B7BD17458A309B671892F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.307{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000295618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.307{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.307{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000295616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000295607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.135{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000295586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000295583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000295582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000295580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000295579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000295576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000295571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:06.120{D25361F1-F62E-6305-3105-000000007502}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000307282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:04.932{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54900-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000307281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:04.909{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54899-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000307280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:07.032{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A196E141CAD00D9C044F536D973DF07E,SHA256=056556981E43A36C93099417DD2452FDBD2F3DD294FE3B304FB67F3FE1FA57B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.945{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.943{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.941{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.938{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.936{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.933{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.931{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.925{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000295745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.923{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=704C642B9DF9358764D6F39068D12BFA,SHA256=85324654BE872615B9948545A740DF2EF0654FEE4EA934C320203F33D008B924,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.906{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.899{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.890{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.875{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.870{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.860{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.854{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.851{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.848{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.841{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.839{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.838{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.836{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.835{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 734700x8000000000000000295730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.634{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000295729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.632{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.631{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000295727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.519{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D3C299A3776108A7F715A2A143AC36,SHA256=603F2FC08080FC38C6FB9EB835908E024480D3AA419505C9F74FA10A9DC2571F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.472{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.472{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.472{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.472{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.472{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.472{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.472{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.472{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.466{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000295694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000295690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000295685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.451{D25361F1-F62F-6305-3305-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.325{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.323{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.314{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.313{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000295674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.305{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000295673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.250{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DEFF48608D077931E163F9B488B23FD,SHA256=50600BEA6FC463C2F27F2B373DFFEBC9A4E2279B0925DBAF2455B1C5D3E497E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.971{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8CC5E8247233068E078AC19BD43B5C,SHA256=A6D78CA6E835CE8C4DAF63930F5A94E2229FB74C0E00AB5CE32C9B347D12045C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.920{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000295858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.920{D25361F1-F630-6305-3505-000000007502}48286368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.920{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.920{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000295855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.889{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E3D1BC8E01C9226D7D403D8E2A735E,SHA256=B1A78447CA0A0E876F1DDE07E0791C833526551D0FA7FDCBE4AA77D9BC8BD13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:08.063{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4122845447169BA1C584EEC0B4935F,SHA256=661FE3BE940D71880DE6D66DBD9C1C465BBBF892B4A1E52C7BA437B265663F72,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.796{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.795{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.795{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.794{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.792{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.792{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.792{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.791{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.785{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.785{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.785{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.784{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.784{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.784{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.783{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.783{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.783{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.783{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.783{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.783{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.783{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.782{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.782{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.782{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.782{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.782{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.782{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.782{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.782{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.782{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.781{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.781{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.781{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.781{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.781{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000295819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.780{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.779{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.779{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.779{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.778{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000295814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.778{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.778{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.777{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.777{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.777{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.777{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.774{D25361F1-F630-6305-3505-000000007502}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000295807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.273{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000295806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.273{D25361F1-F630-6305-3405-000000007502}68641916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.273{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.273{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000295803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.189{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA2A993746F972BCE54EBB71F876B1E,SHA256=A992D7889A7C670505ED4F78D8C33A5546679DB7063C46828C5E1156B325FD91,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.120{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000295767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000295766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000295763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000295759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.108{D25361F1-F630-6305-3405-000000007502}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:08.105{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3896A2F03929188AD3DFD3409FB0C3F5,SHA256=E27CBA5697734E14810BFACA3C24D0332C4505E181BAC11A0B1E48FFE8C1D628,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:07.233{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54901-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:09.210{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B93EE931C19EB37E294C3ADB6FB9C09,SHA256=B3AFA0FA36BC03126E46CC70A2C7378C37C8E64AEBC5813AB14ECA4F723E4160,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.605{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000295911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.605{D25361F1-F631-6305-3605-000000007502}59565748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.605{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.605{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000295908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:07.681{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61348-false10.0.1.12-8000- 734700x8000000000000000295907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.452{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.452{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.452{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.452{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.452{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.452{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.452{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.452{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000295887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000295872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000295867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.436{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.437{D25361F1-F631-6305-3605-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000307286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:10.312{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41358998873613D7932B71AF64368B3D,SHA256=6DB6991BF105440A15EB8A079471ED5461CCF5320AF486627CAA90A69ED54A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:10.106{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9765D2556AA495E0584BC9FA6426211C,SHA256=22154C192BCCA71DCDEC6E1BD5C248813E139F79AFFBF4A38993D051A2A0EDA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:09.510{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54902-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:11.447{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBE95646ABB5310AD8A2B844B641936,SHA256=758B158A6D83C438DF832F4A1D6BF262251129D9DDD92C342B81C4A292B9F571,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000295967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.737{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000295966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.737{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000295965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.737{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000295964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.574{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000295963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.574{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000295962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.574{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000295961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.574{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000295960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.574{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000295959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.574{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000295958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.574{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000295957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.568{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000295956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.568{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000295955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000295954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000295953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000295952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000295951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000295950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000295949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000295948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000295947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000295946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000295945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000295944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000295943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000295942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000295941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000295940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000295939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000295938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000295937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000295936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000295935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000295934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000295933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000295932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000295931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000295930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000295928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000295927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000295926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000295925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000295924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000295923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.552{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.553{D25361F1-F633-6305-3705-000000007502}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.013{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61349-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000295915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:09.013{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61349-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000295914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:11.221{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921DE8EB33570159D4B33D384D594587,SHA256=A213C49EC0981391BE5BF5BAA58089599F297BBC8803238C6A718D7B337B3DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:12.493{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C58B7F2FB7E0DB1F6EDC1DD9C28138,SHA256=71041AADB43836D52E18CCAA1CC62290BAF8CE40CAA441C05CB629F6E611AAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:12.637{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52F3191A4646230B4236FA5639AB487B,SHA256=5D57AD77162CE8253E4B4037D41A1AF90327C1778BB0E6AA7BC2ADD0D4F7D53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:12.339{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46EBA8DE2E4E6AA92CDECBF4DD7B8C5,SHA256=F1FB956B171BF22511C47353837837EDACAE86962150C84E34DDE2382269D140,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:11.711{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54904-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000307291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:10.888{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54903-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000307290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:13.593{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D603653BA3F3C784C6D4636EC5E9432A,SHA256=980E838F194E012DAB25A7645A8AA6973428CBAC36A79E547EBEA6E6F8E71269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:13.421{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79F9D0039E99689981194CFD128DA1B,SHA256=EFDB9C92098F68E349B4B6F6C600D57CC8AD5A4DA3FE6C394390FE0FFE1E7C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:14.711{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85785707B14E8CFBC5702F92D8F89E7,SHA256=618006ECB1C2F666F9F3728207AA4C01A533C22051F643F7B9025EB299AFCEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:14.536{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C792D5D631DB526084901A92EAE09027,SHA256=16C94578F8C36A4DA4281109A78CC11347778C493EAFE863E485327E33455371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:13.567{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61350-false10.0.1.12-8000- 23542300x8000000000000000295972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:15.636{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C47AC72F7FBEE8F2DC266DDF04AB7D,SHA256=E8456F16A2059F92FA9B063479F7260384225D15875C89D947D88B1F03D76803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:15.999{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:15.986{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:15.972{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:15.964{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:15.957{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:15.955{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000307295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:15.760{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBD432C67986E918A2A84750A66DCAD,SHA256=04E0875C2F2E31E54EDFAC83F1D872797488EBD9CD8C7F72DB5863D092C6230C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:13.993{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54905-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000295974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:16.770{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCEF2FC603D947D59ED4940E4AAE454,SHA256=BE0F7953D8D631FA53DA816460CEB44F33CFC3C174BA36C3F7EFE4B5ADE44124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.813{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AEAE7C57606916BA77C9937F0FF2B3,SHA256=B27C73A10C5BC7976CF15461916AE4505848E77712786F27F5A7F8DEA93C1671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.473{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC6D4B8DC405002C2F1B78D6C565D7C9,SHA256=F251FE497924CC5E2FCEF75571651384AA00BEBAC66EFEBD9307EC86B3626C72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.313{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.312{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.310{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.293{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.287{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.282{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.279{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.275{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.272{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.268{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.264{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.260{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.258{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.243{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.221{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.219{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.217{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.217{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.216{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.216{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.206{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.180{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.138{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.130{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.125{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.123{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.121{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.118{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.116{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.115{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.113{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.112{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.111{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.109{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.106{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.103{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.097{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.094{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.091{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.085{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.083{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.071{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.062{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.054{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.046{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.040{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.030{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.005{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000295975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:17.868{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5B766FE68A86EC58192FBF30D5B1EF,SHA256=8D4BFFFBB3E539BDA1A563AE026061D3939E13F69086EA35B9BB8E1F3A14D0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:17.911{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC44040F4FAB2CCA1E5EA53DF96231D7,SHA256=B6E07A339149602D43A7E6523FFE09E0D500FA6156E26714C9A0C0A48879A172,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.193{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54907-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000307353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:16.042{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54906-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:18.919{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E017EA5ECC286EBC2ADDB5703B63FD95,SHA256=4B626DE41C4E214FDDD1AF0F4BCA31C5A0E21723DBCC43BBD110091030D24E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:19.045{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CC94DF675220878FF4ED4C807E6D12,SHA256=BCC655FE4B7B271E9C696798C228D393B32BC6D9EB10DE14F7313313D31157E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:20.304{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:20.035{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ED6A8F9D0B357217BE1D39DCA1C376,SHA256=992BADAA17FFE578F35D285F3863320CCC42E9F102FE1CF5C343CBC7DAB9B0D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:18.462{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54908-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000307357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:20.075{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5508C19DDA65587FE5F396F5438FE053,SHA256=FA8DE0AB357A828A54EAB15F1C482E42773B0DD73F1718A7BCFE087A2D8FBDDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:19.748{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61352-false10.0.1.12-8089- 354300x8000000000000000295980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:19.531{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61351-false10.0.1.12-8000- 23542300x8000000000000000295979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:21.151{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF811A1BC363E21D6A95870E300C08A0,SHA256=CF5EEB967DE29DCC899D7229D08B412E975C22CB8A66A63CD0B64B3D1B48CA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:21.200{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F3E68DF436013ABEC9BDEF1AF0E356,SHA256=16A5928CD9806BED7518DB6C7D50B372C9A79B1B895D188190D9261EB2F95D35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:20.755{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54909-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000307360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:22.317{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E62F886FE735194DE7621885E69832,SHA256=E6E92734556F21897CAE921A44B867382E4184C4C6E208A434985E639E4843AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:22.268{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B945D3BDC016CF1F5102B8A589D9580E,SHA256=87AFCBB66E6396F37F11448093EF89A9CBF3A41F1DAE24466FADDA3F0049BBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:23.302{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175EAB4DB03BE509CB2E9D5CE6E807B2,SHA256=3ED122E5CBB05D7D6C36424B34041DC2ACEDDD6845E868A185CBE1CACFCB6608,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:22.014{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54910-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000307362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:23.339{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0126D20018596C7597539D7303C76ED,SHA256=DD18B28AD2AE0C8DCFC3D7349EBC1E625DCFC789776101FC66974AD3C7D22AA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:22.937{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54911-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:24.453{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A68763BD0A7B515BB2A7B1F3B3004C5,SHA256=DC316EBEA11B97601B25720F2E967F8ABBEA12DFBE89AA9D4F6E94B5D8EAC7BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.692{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.685{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.681{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.680{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.673{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.639{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.629{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.618{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.612{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.605{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.593{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.583{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.572{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.564{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.556{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.547{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.497{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000295985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.493{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000295984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:24.419{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F0415BAA9BA21752C409926DE4D1EC,SHA256=B250FF563BF2D4FB651167577A7CE6846A8D8FF9D9E02DCBC2547489AE8FF149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:25.548{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5708D4966A10D6A63EE0C2658ACD33,SHA256=1AEA17A082E984D2DDC5E8CAA85CF2A0A932C34DDB36BA7F1B9D98C5287D10CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:25.568{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E609583F19FDDCAD75761791DEC09E0F,SHA256=286E868B9C73A69FAC96931BB4779CE5C158D9A4F9F39742BEF3DCDCAC403BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:25.500{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C0B5E81CE112E3E78B8C6B703C8CC1E7,SHA256=D9299F14C353D795BB5C7EA3FAF960B3E12667F8973B0ECE5626946F15FE8892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:25.123{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:25.121{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:25.118{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:25.115{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:25.113{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.786{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.786{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.785{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.780{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000296015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.779{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000296014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000296013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.776{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000296012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.775{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000296011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.774{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000296010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.773{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:26.748{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE37745DBEEF821C60665EE6E312C12,SHA256=8E64AE44494CE58D98F3E2FD1A2F985B55A71E906A6A95C760218E3B46E85757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:25.254{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54912-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:26.585{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A60B6FEA4E0F5DE3112FCE867EF245A,SHA256=4375164F80EE6F80A470E73BDA9B04A30CE320C9FA734752D628321D8F3E2509,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.841{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.838{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.835{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.831{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.825{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.821{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.819{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.808{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.781{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.766{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.754{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000307370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:27.702{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4FAC84A9F7E6147CE40B8F8187B324,SHA256=7B025026FB79C5E94E46B200D1B6A563BDA47E83FAA09938698DF552D7214486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.737{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.731{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.722{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.717{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.715{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.713{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.708{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.706{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.705{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.703{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.702{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.184{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.183{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.172{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.170{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000296020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:27.164{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000296048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:28.834{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0717A2F3145A055DA09730CF1F8B9D6,SHA256=D6F2E8260A9D87DE3DD4DD791B15EF1FB56E788CE3FC726C4B0B7E1F8D097C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:28.816{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F522DB1DA4078FDCBAFD826E995CCA,SHA256=F4E97D106725B07CA13BCB61DC2D6851FF9FBB8EC7784D5A928BD762A4E5F286,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:27.453{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54913-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000296047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:28.166{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89417E64C024E3EBBC36425A102EB2D2,SHA256=6AF00122A97E876483C02C2405F6E4BE25AD45B619E50823A56E1708799C146E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:29.949{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A08AFDE5A8BC1504A42CF540D03B1D,SHA256=F24EA6260132CC7829E1CF7046D586EE6328CBC492D18112A9333E107128877D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:29.835{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C905826FCFC6D0E611E8893D00817B1,SHA256=2FFEA12392360607107618593A66A122320E4D7518F8243C07A5AB0FC5551595,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:25.564{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61353-false10.0.1.12-8000- 23542300x8000000000000000307375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:30.867{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3533AB4987F483A613F8B7832AC6B9C,SHA256=41EEBE1851B6617EAEDBE30A747C97FDA14B76313A2088F072DA7DA896EB4B31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:27.995{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54914-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000296051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:31.065{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEF1C054A7D897DC2656FE7B0928EC8,SHA256=54641305C1685EFC643959A58A4DAA6EF944BFF68DD7399428B6CA779F7C4E6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:29.731{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54915-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000296052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:32.185{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920D55C37ED9284C321A8CAD6D7FB3CD,SHA256=E4934D16E39F18FE2C3B29863CB057C98ED4D2F1422BF0F556AD5DEA97154EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:32.055{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FA0DC1EA3385025F2AD0DB5E4AB1C6,SHA256=F7EB8B74F009341B12ABD9A410FF979443B572A55C817B31792C54C0C7133B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:33.301{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC3A2B33C879F0EA44774561E0CB659,SHA256=B0B25F6785ABF26C9D7D2D64751137C2E4DCE7A7FA3A73D69584B69D320E85B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:32.035{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54916-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000307378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:33.185{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D748FAA28C6E9D3F2569ED8EF121B5,SHA256=810DF3442CF1238A9DC8E027981542F76E1B6D9B5CF485A00EEF6C0D29EAF99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:34.431{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9444E1B1F74B8407597CBB4E872FFF25,SHA256=9E47B5DE41CDC40E39553BCBAF45D54C6BB08BE9E56CDAD80D6299E711113C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:34.286{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72607893695E8B4FBDB23DDAB4829124,SHA256=56D7C1518815513A2A6E552C3C62E47F6D6F0067E549147C005908F537873D54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:31.493{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61354-false10.0.1.12-8000- 23542300x8000000000000000296056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:35.530{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53697F576840FD9058F9B3C04A9C566,SHA256=1C2A5FEC3659E8A1C643235756207A8A70EF82D8AEC693CA93FEF59274DD1DEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:35.992{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:35.980{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:35.970{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:35.966{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 354300x8000000000000000307383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:34.335{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54918-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000307382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:33.881{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54917-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000307381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:35.385{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525F246880FC405AA44862CAD47E5596,SHA256=E3014734F73225DB94B679C61F47AEFB1F1485C24371D87B6A20D38BE9D50DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.588{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD942E9914EF16E64E1934D694793A3,SHA256=24A9A6DD92F30355C40DBE5AB7B03E93D4273159C4BEA20B743B456CA8E51A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.587{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A807E69509ED9A71F8D07AF546E6D1F,SHA256=7FC55413AB242D4D11A2AC1C6A4C6E04293F36FD1774234138ABF52257C4E719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:36.662{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290AAC39DCF44AF97E24B7FC5D46892D,SHA256=29CF664FCF883801CD6AC11E7C8BD5878D516C86E0C28951C066F2ACE74A1316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.334{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.332{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.331{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.323{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.320{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.317{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.312{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.309{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.306{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.301{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.298{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.293{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.291{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.276{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.255{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.253{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.250{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.250{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.249{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.247{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.234{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.222{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.193{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.186{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.177{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.170{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.166{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.150{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.138{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.130{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.129{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.126{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.125{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.123{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.122{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.117{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.115{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.109{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.107{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.103{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.097{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.095{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.084{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.075{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.067{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.059{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.051{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.040{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.015{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.008{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000307388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.000{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000307441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:37.719{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA35CEDE1E442E2927D3C9C13B12D6BB,SHA256=E2FA26F4AB9CDF4EE34EACC27BB6B276A94456FB446F3791F22399761C4558A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:37.744{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED7B7CF17C53587F56DAF580328BEF1,SHA256=3A264A39BEBE7EB20FA6A0C52094B58D0DE9B0494AE13C92A7273D9E090A3C45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:36.614{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54919-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.802{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE988D6DCCC933B09819B7B312C4A195,SHA256=3887CD18CDC768CB71AE2645EACE3D9AF29578ACBAEB0FBF66F85FE25DBF9384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:38.861{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F26DDF03DCE4A387D95067048DBBB5,SHA256=137F4671CDA6D3188CDE6A6A0CA3FD2F0296F2380703733620CE1C6586215AB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.323{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.323{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.323{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.314{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000307447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.313{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000307446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.312{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000307445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.310{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000307444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.309{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000307443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.308{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000307442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.307{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:38.144{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DE057808D77112A18C14CA168156B10F,SHA256=B1060145D28594D7AA775D731C83F80CAC7CE1B61AAE300DEA898A928CCEACBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:39.923{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E3D025026957C13E86666022DA8AB1,SHA256=D08B4CC9152D03435F634324C7AF4AD46605D7FB706D5A3CB2E085800113FD31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:39.959{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B023BA8BD636C80DE89FFCC8754EAFD,SHA256=2C8B30D2FE6B8C6C7C8D5EBD61EF5DC46385D39A2A1B824F1B633D3BE6640ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:36.706{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61355-false10.0.1.12-8000- 354300x8000000000000000307456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.999{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54921-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000307455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:38.889{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54920-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000296064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:41.394{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=97445187EDF2172372C9FDB88FA51A60,SHA256=D549737E02FA2DE94BD8D8113AC6C822B881D41D68EBDA9FA14819379DB8A747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:41.078{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311926F4AAE394D4083C093DB270CE76,SHA256=42ADDC17FC01ADE5D6928BE8DAAC192E40353EA3F48E9131843C67C1C080DF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:41.026{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED570237752F8AF9DB3B2D7CD1BCE74,SHA256=2C26F9A9D07548484BE036E92F94F1776BB8145C48617851B8C7A626B683BAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:42.159{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F4A830BEABBCF8CCBD5F58F1EB9F30,SHA256=07DBD540C0B8E81A96AB6B29BBC758FF6960367D695CF47EA37A084EB0367B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:42.743{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A1FCCF09F716DB28951738A8ACFED81A,SHA256=80EBFAED8FB7E1D3864E1877A10E40514FFFCD0413109E28D4316398A3618797,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000307468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000307467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0095f651) 13241300x8000000000000000307466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b797-0xb551bbd0) 13241300x8000000000000000307465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a0-0x171623d0) 13241300x8000000000000000307464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a8-0x78da8bd0) 13241300x8000000000000000307463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000307462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0095f651) 13241300x8000000000000000307461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b797-0xb551bbd0) 13241300x8000000000000000307460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a0-0x171623d0) 13241300x8000000000000000307459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 09:58:42.405{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a8-0x78da8bd0) 23542300x8000000000000000307458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:42.026{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCC7815A32D369EE06D4CFE702F6D59,SHA256=0A42AD0B5A36163E1B4EBABF2C5066FD0CB466DA370D76E76D328363BD5F7101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:43.240{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4768C0CC907FDE9E3F4FC0E1F6051B8,SHA256=9F8924670351F8E34671DB626F81B81CC9BADC392C9DE7F0A63D683A247847B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:43.926{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:43.144{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DBEA790FF5466E51AB33EC59DF0B17,SHA256=5CE8B585DD92072B6EC5597925AE41A6F97F26BEAF9C5E5529DF0877A92FB0F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:41.076{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54922-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:44.259{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB461239CB0410AA65A9AF62506E887,SHA256=930ED9B185CAF4156E472077BDA711AF5E660B8E3FC9072166E8FA02860F8EFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.674{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.668{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.665{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.663{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.661{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.638{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.631{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.620{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.614{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.606{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.596{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.587{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.574{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.564{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.555{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.546{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.492{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.489{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000296067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:44.340{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA94BA4C24973409B7D7905DBCABB2D,SHA256=14847C0C38A3DDA36A0AEC9EE5B69A9AA77699A82CA5D78032A04FAE7E99404F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:45.377{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2025CAC541133DF0E46B1FDD12FA60F2,SHA256=B2DB5DE9A8B85529652985F772090D04EB3877576533EB1ADFC38693D36E114A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:45.977{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-158MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:45.291{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD03AAE9F6E27DDB3BF1C3566C01509,SHA256=0387D3251F7BFBAC601F35B009E62F77F44801B7C899CD4C1171D3CD6A16C298,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:42.670{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61356-false10.0.1.12-8000- 10341000x8000000000000000296090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:45.094{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:45.092{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:45.089{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:45.083{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:45.080{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000307479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:46.978{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:46.390{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A070701D7F95037E378DC0055483B4,SHA256=1FEB7A9175C3A18EB6C7525FCF9CCED31EA358CEDAC456059FBD12D14128509F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:46.493{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2969BFA0454ADCEDEF1347ED1E67C0CC,SHA256=4DC353489778C964434C4CEB3E47528DF9BAF107FF937163C6FD338097294DE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:43.702{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54924-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000307476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:43.245{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54923-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:47.407{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A478948C54AFC254D25B4D410AC3C99D,SHA256=E2557A32544E14DB025D1F3D5AA36A91575ECC7E1893ED7F7D46DB4CCCAB53C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.834{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.829{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.823{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.817{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.814{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.808{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.806{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.793{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.774{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.767{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.755{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.735{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.727{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.713{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.707{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.705{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.702{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.700{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.698{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.697{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.695{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.694{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000296099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.593{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA1E197306615CCAFF5B85D642F5CAB,SHA256=C1673502CB284C9BAE2B5461F1996C8D672C6B91BAD4E1985AFF1A77336700C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:45.538{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54926-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000307480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:44.955{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54925-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000296098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.178{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.175{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.163{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.161{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:47.155{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000307483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:48.508{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F5BBE2B6621BF5F7453BFFE173E0CF,SHA256=F7CD0E24E5BDE755E95887CE5ADEB8008792ACD83B346166F6FCDFB16525F1F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:48.677{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D16EDFABD3A6E763ECFC0F1A663CFF0,SHA256=67F9787DE7D58FDF13824E51D7CC64554503F83D896E2AF8079E233532EDEB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:49.624{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C893B1A49FC473543B79F4AC5093DC81,SHA256=867AA0B59762B65B2CACC0B769E74FD09D37B1BB1D544DFB0551BAE43F91F34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:49.792{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D182C7648F4E97025E4DF63A000E7CE2,SHA256=5BCFF7B72A6981EE6E042A33420B5298295EBC280C9E437B5BF7A57A12B0895A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:50.922{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294D50ADEA436BE01DC8E884ABBA5D36,SHA256=8BC646ED42F22FAAF8B3B46C0D44527998716DCDB096F7A29FEEEA9EB88DA823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:50.706{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED9707746F86B0C00AD0CD2EFF03B99,SHA256=C9B6F1890B8CBAC6D39822E0CEE77BC380FA1ECAE714EB2D594BD8B23E8B2546,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:47.723{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54927-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000307487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:51.805{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9731E1B04F5112769CAB40B9E63557C8,SHA256=B3430F6E63A1D145E9AEF16241DA2FBC2C29B2B9D8FED8AA67B8DDD6F9C65747,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:48.654{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61357-false10.0.1.12-8000- 23542300x8000000000000000307489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:52.924{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F43FDB4FD764961B1BF288F3A4633FF,SHA256=66463063161ADF60CBCFFB9A20FE85362AEE903D8231E839E85A72BF9E36D3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:52.138{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A97320CCD518D45D55ED950392B366A,SHA256=59EC3283A9C113D3783D67B61E54D4D57614EF59BD69460007FE05FE38F69E61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:50.022{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54928-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000307540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.367{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000307539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.367{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.367{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000307537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.174{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.174{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.174{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.174{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.174{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.174{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.174{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.174{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000307529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000307519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000307503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000307501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000307496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.158{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:53.159{F6DB49F2-F65D-6305-9105-000000007602}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:53.254{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456DF62FB4B1EBD96901D2F1EFAC75A9,SHA256=07C559C04FB7B7E7902D4957B48B6C8E6B88DC33E32594605AC431C68DD8C0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:54.274{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EAF33ECEF0DF081B8013C18BD72E11,SHA256=21189218AB3A25575A29ACE24411DDF16E3F353FD91BB7EC076C42963579BBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:54.374{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBD53D4F083AD79EC5A3CA84A4B0329,SHA256=8DE960C88BE6032BCB27ED45507C814CD7C0AC50AF18C85ED304A86F95966C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:54.374{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0988BB0CEF89B2C8FCB36D78B9538C02,SHA256=E450D124F265631FDB85A3669538629346CC089E6A2FC2AF4F71CC75A15909C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:54.374{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2428B7EAFEA225008218849F3737DED7,SHA256=E7E27A8BFA60061C135460FD721D6837433DF669E40A57CEA51722007DA4249A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:52.324{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54930-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000307541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:50.871{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54929-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000296129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:55.453{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDADD9121AAA9B3467FE00CE7D9E1D83,SHA256=9A2E6BD6C1E755FF6ADE07108915078F221A534EF93BCF43AA782A7FB1F0AD21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.996{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.988{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.978{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.968{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.958{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.955{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000307602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.624{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A773D0EB69E3A9960D83DA2EA5F7451B,SHA256=0AAAA5F558EF2B8FBC97BA36F1027ABEE12D0CE8FCE4ACE8C1B8547ADB39E7B1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.543{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000307600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.543{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.543{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000307598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.374{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.374{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.374{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.374{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000307590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000307589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.358{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000307568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000307566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000307564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000307563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000307562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000307561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000307558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000307553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.343{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.344{F6DB49F2-F65F-6305-9205-000000007602}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000307546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:55.146{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ACD572DE8E19E3AB405986FB93427D,SHA256=8CB420BB8D88D4D735EA2D87FD96BEEA96CD2156CCD22FB8DEADF61B62E70A80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:54.613{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61358-false10.0.1.12-8000- 23542300x8000000000000000296130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:56.655{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93AFA2746B0AACD6B3FBDC32D765355,SHA256=0792C482B103650400F5ECC25A08B198BF29457DE2775DB7B9F5BBAA3231D46F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.266{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.264{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.262{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.254{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.250{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.238{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.236{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.233{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.230{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.226{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.222{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.218{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.216{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.215{F6DB49F2-F660-6305-9305-000000007602}61003484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000307703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.215{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B532D97093A8AC83F24EFBFEC600F3,SHA256=181E8F062751B8584EAE032B208F8EDC55169707C0DA8A45A110A56A2D8DDF99,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.214{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.213{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000307700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.212{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000307699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.200{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000307698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.200{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000307697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.200{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000307696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.199{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000307695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.199{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000307694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.199{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000307693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.198{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.196{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.195{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.195{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.194{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.194{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 354300x8000000000000000307687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:54.606{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54931-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000307686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.183{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.173{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.156{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.151{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.143{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.134{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.132{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.129{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.121{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.118{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.116{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.114{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.111{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.108{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.105{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.103{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.099{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.093{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.091{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.081{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000307663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.080{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86C1D6510338F4DD970BB659273A238,SHA256=BA7606DD780F9804F4FE838D742F5C4BE3069D67D4D4481486513578D946E5AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.073{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.067{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000307660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.056{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000307659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.048{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.047{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.047{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 10341000x8000000000000000307656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.046{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000307655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.046{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.044{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.044{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.043{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.043{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000307650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.042{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000307649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.036{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000307648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.035{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.035{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.035{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.034{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.034{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.034{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.034{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.034{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.033{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.033{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.033{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.033{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.033{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.032{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.032{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000307633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.032{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.031{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.031{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.031{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.030{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.029{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.029{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.028{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.028{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.028{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.027{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.027{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000307621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.026{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.025{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.025{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.024{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000307617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.024{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.024{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000307615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.023{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.023{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.023{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.023{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.022{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.019{F6DB49F2-F660-6305-9305-000000007602}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000307609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.004{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000296133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:57.854{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A494A2DCA06AE21E7961465188C64B9,SHA256=9E29AC4E684ED645254305DBD070846A348E32BC45C8946E274652740176F5DA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.714{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000307768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.714{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.714{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000307766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.631{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A514755D895F2F4A590C2558E8AE79,SHA256=2651E139044008894E380889D8AA98E66A466F1FF3D384DD7885BA8642084337,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.514{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.514{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.514{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.514{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.514{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.514{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.514{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000307758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000307750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000307733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000307729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000307724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.497{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:57.498{F6DB49F2-F661-6305-9405-000000007602}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:57.624{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-158MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:58.924{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DC90A7BF6AD74490172359D62937F8,SHA256=F1E6858890DC204BF44C5F33DB65CE350FE0DD371A89ABCE716CF06FCF955BC3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.951{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000307872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.951{F6DB49F2-F662-6305-9605-000000007602}23801688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.951{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.951{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000307869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.782{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.782{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.782{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.782{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.782{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.782{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.782{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.782{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x8000000000000000307861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.782{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F20E296296AB7DA7D5CE20F453A30E9,SHA256=939B81572C24DE66C52AAF569C4A1184AE0D16D0BB1F562A14482C72E89D3DFA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000307848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000307833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000307828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.770{F6DB49F2-F662-6305-9605-000000007602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000307821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.766{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B35AB4BC482CAE312E102EAE9EE561,SHA256=2554121A98EFF87A7FCF1F60A15A32DD6CCAEF50F33EEEE56AD1A10F719B7280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:58.628{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.335{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000307819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.335{F6DB49F2-F662-6305-9505-000000007602}44765200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.335{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.335{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000307816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.192{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.191{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.190{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.190{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.188{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.188{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.188{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.187{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000307808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.181{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.181{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.181{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.180{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.180{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.179{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.179{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.179{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.179{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.179{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.179{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000307797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.179{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.178{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.178{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.178{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.178{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.178{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.178{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.178{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.177{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.177{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.177{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.177{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.177{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.177{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.176{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.176{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000307781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.176{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.174{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.174{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.173{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.173{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000307776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.173{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.173{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.173{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.172{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.172{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.172{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.169{F6DB49F2-F662-6305-9505-000000007602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000307959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.932{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4872EB2A696EDA6C99588375A453828B,SHA256=94F779D27544F50413694F39BCD41B0178FC039318595B129DEF21CF8DA16F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.930{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A180A5F546A0C6070B881C0ECC0B472,SHA256=3AADE15E7F02791AA2EA096C844C42F068D3D4F7E5E9158B8D5EBBE676806093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.913{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3389EBE88E7E1A4CB5351C6C29A69748,SHA256=44E5EDC2DEC990A55F180B6106FE45B18DC60F9B64942E87932A579A9C3F8C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.913{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A09CFBB6BDBDF0BFCEA818F8DF0340D,SHA256=3E4B1E16BFAF80CFC1258147D875C4AD6ACBB8E45B99E4A10AC5C7FBB4E71B03,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000307955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.635{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000307954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.635{F6DB49F2-F663-6305-9705-000000007602}61244240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.613{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000307952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.613{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000307951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.466{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000307950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.466{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000307949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.466{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000307948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.466{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000307947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.466{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000307946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.466{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000307945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.466{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000307944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.466{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000307943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000307942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000307941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000307940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000307939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000307938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000307937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000307936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000307935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000307934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000307932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000307931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000307930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000307929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000307928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000307927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000307926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000307925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000307924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000307923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000307922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000307921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000307920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000307919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000307918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000307917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000307916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000307915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000307914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000307913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000307912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000307911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000307910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000307905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000307904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.451{F6DB49F2-F663-6305-9705-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000307903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.332{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.331{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.330{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.329{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:59.329{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000307875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.877{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54933-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000307874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:56.806{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54932-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000296136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:00.024{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEB650E6FDE513078709256CD3D4361,SHA256=712A8BFA74F76D050FD4A736115AE38221A78B3FE263FB0D657A2B00BB3FCA29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:58:59.639{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61359-false10.0.1.12-8000- 23542300x8000000000000000296137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:01.139{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1DA825B532ACB0CA750A5D005BA6E3,SHA256=D1F81058A37362201807067E25AA0E3E461C906418B4E6D364F1AEE9D4DA6052,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:58:58.983{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54934-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:01.031{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12F91942CAF5195FC677621330C0C9E,SHA256=1DABB2BFC218C8DC410BB44D1164C01C74E3C722C1265E251108295BD7D403F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:00.674{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local59943- 354300x8000000000000000296140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:00.674{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53376- 23542300x8000000000000000296139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:02.159{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A342F16A61C1ABBCA63B7AF976B781,SHA256=0C659CF55FA4BD5A0A086F0CDCBAAA337B6275A4BE94A7DEF60914E88B6A41B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:02.150{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85645D71F934D8C2681BF1BF1852281A,SHA256=5150E9078E8D91C0DD9A2EBE1E386C34BD0F028C256DF8D89E4238A13507BD01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:00.675{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61066- 23542300x8000000000000000296142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:03.259{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5FB7BB05DDE993929B914A96DCFBC1,SHA256=5C0337832DE5ACDD6579F8AFB570E2951C6BD05A9C8B1332206CC53669D64863,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:01.266{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54935-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:03.166{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03BE18E1F9B5E5BE3120EE719E23C1E0,SHA256=203B3CDF6BB3D5F23873118FC9929B1D96F680EE5FD9256118ED6F9F6DA2F7DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.698{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.692{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.689{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.687{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.685{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.662{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.655{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.640{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.635{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.628{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.616{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.604{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.592{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.586{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.576{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.564{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.504{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.499{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000296144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:04.358{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FD460A7E5E0FCCF10CF8CE799FE198,SHA256=C388AD0CCDDB9D70D996D2CE25E9FC9BFF528E2C7ADE9DB55859FA43339B6E39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:01.945{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54936-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000307965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:04.269{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9763EA4D34D5B42BA32AC7979A15F8B2,SHA256=DB9F00A8C4F72AFEC33BEC0C15C025AA17679E7362EA4F9C970417D42401B6A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:05.410{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D5B9ED7DDCCDD54E313418FAC4465B,SHA256=3F7792E4F0F3910CA805B638BB75938D876AC60911AB596F94321CCF600D1CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:05.351{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF6343023168AB5AA8E312AF9DD8487,SHA256=B06B73E06B811891F99917C40CB17F91E974EC898B457B81125FC97E12D20A26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:05.121{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:05.117{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:05.111{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:05.107{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:05.105{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000307969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:03.451{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54937-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:06.452{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A561D6ACD09A5F4AC61B96FB0D6C7CA3,SHA256=6F727AE4E1E3759FC302585F418B0C7D3BA720E163DF0FFB6C9371048B48A161,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.990{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000296277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.990{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000296276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.990{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000296275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.990{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000296274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.990{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000296273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.990{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000296272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.962{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351251BFFF830CBEED1A0EF99B55D7D3,SHA256=F3881213FE25F0EB61EFB3DE0A4BFACEBF9BCCAAEADFD1C452CBE5A0829791B1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000296271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.829{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.829{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.829{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.829{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.829{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000296262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.812{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000296244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000296239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000296237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000296236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000296235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000296234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000296231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000296226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.797{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000296219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.343{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000296218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.343{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.343{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000296216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.144{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.144{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.144{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.144{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.144{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.144{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.144{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.144{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000296196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000296193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000296181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000296180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000296175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.128{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:06.127{D25361F1-F66A-6305-3805-000000007502}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.930{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88983ED5B5C211470ABD8A1292AA17B6,SHA256=CB27EFAC8A588124B4541EFDD8ABB4C089C5399650045CE76A688441CFC5072E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.930{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3443CB81E113DFD9F44CD083151D18,SHA256=3CC83EB0813DAFB1EA7772F9974B8C0102F6F7C89E0EE70FE298884B706C933B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:07.567{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA6CDCCDA164FF3226676A9DF2C9870,SHA256=1D95E7F8021B9444C0CF8B62DD69C86B63E4779379926CB25D69B5D860C51055,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:05.623{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61360-false10.0.1.12-8000- 10341000x8000000000000000296362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.789{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.786{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.784{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.782{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.779{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.777{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.775{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.769{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.751{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.743{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.728{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.712{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.705{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.698{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.693{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.692{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.689{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.687{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.685{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.684{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.682{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.681{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.664{D25361F1-F66B-6305-3A05-000000007502}49046468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.664{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.664{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000296337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.480{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.480{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.480{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.480{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.480{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000296328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000296315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000296313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000296301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000296298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000296296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.464{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000296294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.463{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.463{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.463{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.462{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.459{D25361F1-F66B-6305-3A05-000000007502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.244{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC67DE1504F17AD0E4DB8D012D49DCEE,SHA256=4E79593BC8D31DDFE32045773EE39126EDCB00333445A80067F0B12CEA7CBD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.244{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8C75E60AE9F94E28D5A2679CD5DFDD,SHA256=12C2C5CAE8B653724E113434D6DAC6293BF4E7D2E092CF039105E712489E643F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.167{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.162{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.152{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.150{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000296283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.143{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000296282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.080{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000296281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.080{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.080{D25361F1-F66A-6305-3905-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000296279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:07.001{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8CB15B5E28CD10DE7CAB6D0EA3CD9062,SHA256=231E75690D66492BC94C3B156658322D78F6E2B2910C6B05695D8FCF922C6FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:08.652{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69186B2F13AF27B64366CD7403F1FA98,SHA256=7C24E9B683F7BBAD6DFBEE4E398DF77C917BC4CB7BA92294027926408B96AF60,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000296464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.842{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.842{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.842{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.842{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.842{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.842{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.842{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.842{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000296444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000296440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.826{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000296429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000296424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.811{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.363{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F170BAC8DCD35CC83E0C48F961747F77,SHA256=C3864D54DBCEBA8BB873331671E5961B8148A123854F660B7E30F475E30C99CD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000296416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.298{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000296415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.298{D25361F1-F66C-6305-3B05-000000007502}26207116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.298{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.298{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000296412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.164{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.163{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.163{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.162{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.160{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.160{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.160{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.159{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000296392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000296391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000296377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000296372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.140{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.141{D25361F1-F66C-6305-3B05-000000007502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000307972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:06.947{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54939-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000307971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:05.646{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54938-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000307974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:09.798{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1880DCB0906FBEAA2790D7AF1F96B568,SHA256=D432BC9DCD037BB4AFEE962232D0A58C895BE632DED2F32AEDC7B13FC4160395,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000296522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.663{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000296521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.663{D25361F1-F66D-6305-3D05-000000007502}58567088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.661{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.660{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000296518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.495{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.495{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.495{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.495{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.495{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.495{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.495{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.495{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000296499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000296495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000296485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000296484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000296482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000296477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.479{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.480{D25361F1-F66D-6305-3D05-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.119{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A539EA9D8E5F8145877CF3996743D5A5,SHA256=2403C8690F46657250D0F07EC8B08D6AB7BAD0B3627AFBC9C27782B6D67D3904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.116{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDA0F11A090FAD9277E992E78957F4B,SHA256=72B326CF88DE953F1F96E2099E5F34143D40F9597A58D6BA31F59EC5973B45F4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000296468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.995{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000296467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.995{D25361F1-F66C-6305-3C05-000000007502}70486168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.995{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:08.995{D25361F1-F66C-6305-3C05-000000007502}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000307976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:10.930{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D253FCEDF2B8CC9D076021F06BAF1B9C,SHA256=46E5C80B6A63DAC95F3499DB245FC6E393BC93B020ACD02B08066F2E85938B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.019{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000296524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:09.019{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000296523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:10.210{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978256031DD924A375676E232D0A999E,SHA256=457BEFD49E72AAB5F93F8925F65DAB5DAA54094AAC9960BE52EC18BAE5DF1A33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:07.932{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54940-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000307977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:11.965{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19635DA37D2409085DBB20E02F9AB36E,SHA256=6586AF5CB4BADF8D9A51D0BB6F9DB1DDE3D237933E5D7733620CFE02F25F9D94,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000296577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.826{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000296576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.811{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.811{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000296574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.612{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.611{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.595{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.595{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.595{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.595{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.595{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000296559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000296546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000296542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000296538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000296533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.580{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.581{D25361F1-F66F-6305-3E05-000000007502}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.280{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79573852B08029C7253AEE3799B70DAC,SHA256=208D916FDFC88CADD289152828E22A8519BC93E23E8742E0BFA78376F1ABADFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:12.610{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A254E84B30B8FB8F114946E6FFFAF93B,SHA256=E2EA6159C25E5646278935F5AF6CA10CD267A812919A65AE70095AB279CEED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:12.426{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A24639563F5DB227CE6C0ECC2B6D5B9,SHA256=243312156403EDF125DF53F5579B995114EA5FB1F25C704EE1F49B6EE7CDD6BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:10.229{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54941-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000296580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:13.541{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE15EE95A05C00D4C8F60E2D2BD4FF6C,SHA256=04136A2EC912521789BE7D1ECBC70FC3C5DA4D34C278BE21247587AE1A42CF57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000307979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:13.011{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757E260B171670803376930765204172,SHA256=8766DBECFF1187F7E1826F459FEF5CE6DC036E124B16C1325EC829275C9C79D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:14.660{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69B584CCBF0D3A3B60FC647932CC62D,SHA256=D0323F11F61C3C45EE840461EDD62C9EB19B3511D4D821B7997249E0824865DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000307982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:12.826{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54943-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000307981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:12.512{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54942-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000307980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:14.112{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A43698190C718AB996A2C57FEADCE3,SHA256=C4685D673F18C052F87DB7242D253F698DC3D8550008A85544E9081D629EF4B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:11.620{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61362-false10.0.1.12-8000- 23542300x8000000000000000296583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:15.759{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EA00BF1F5A186E3FFA51E713B41F23,SHA256=79E4601A33752C1B82AC2281A2B8A433B2B59725C95D7A63D45139C4596196D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000307989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:15.995{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:15.986{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:15.979{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:15.970{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:15.960{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:15.958{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000307983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:15.230{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A551C79BFDB64CC1187B372FE09A25,SHA256=BB9D9A77E7CC9EF321B150876783629438D04795EF082690365E1F9053D03407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:16.860{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB4F30B13B2E1EEDC71473E6CBD5FB1,SHA256=E88BB0EC812BA80AA7E331F4536EAFEF0E590FFF5405D9A69FF0F0981BF36500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.586{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9714A1F6233815453317C72F6710E9EE,SHA256=B0D7B2C3946D96592FD1097D80E4FCB4DE9E7B3412ECD40402DA57D97CBE4C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:14.781{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54944-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000308038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.271{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.270{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.268{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.263{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.259{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.256{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.253{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.250{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.248{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.245{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.241{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.236{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.234{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.221{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.204{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.202{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.201{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.201{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.199{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.199{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.175{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.163{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.141{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.131{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.123{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.119{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.117{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.114{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.112{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.109{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.108{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.106{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.105{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.104{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.102{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.098{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.096{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.092{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000308000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.087{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.084{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.078{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.076{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.063{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.053{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.048{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.041{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.034{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.024{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000307990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:16.000{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000296585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:17.979{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5C0BF8B0609462758F47C3108D4CBD,SHA256=5AF480AF72D3FF79B9C12BBDF67B9A0F5ED0A70A62AC4B42DD8E396F2E881E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:17.310{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F572EF77FA3A6A7DC43739EB6CAB22,SHA256=EC38569F1E4A030B009BAC3709336374334E4F346EA3B46ABD5B03C4406D1259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:18.410{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93081D8F69E6521DA0AEABCD8F23545,SHA256=B7E8995DD165BA54963639D2E0C843FA282D0407EF9DB9E3B2C704D0F329FAD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:17.958{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54946-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000308044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:17.064{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54945-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:19.510{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09AD90EDF45C971B5975D81C2A4634C,SHA256=36F28843F54257FA8BAF72501989DA93E50D3F955E87B78137AE5B4AF9108684,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:17.541{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61363-false10.0.1.12-8000- 23542300x8000000000000000296586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:19.094{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F22C4B43D7AB824C923907C50FBF249,SHA256=1781DAF6FD7A4ABD2A9BB5C30AF2873FD3D7F1D6E176E0C84E0DC9FC9E9E0E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:20.629{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF831EBDD1271915D1D38F83860AA98C,SHA256=9BD3401258EEDA99EA5BD423D819CCF32FEAEE9A2A92263CD2D6603D3336E512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:20.325{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:20.224{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C22B8E056A937EE321F7103BC7181A8,SHA256=56DBE83981CED48FBAB51E0CBBD3B8548E95DE47CCD90A389C4E5DA687D4A136,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:19.346{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54947-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:21.746{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5C52DD07BFAFBE9AE5D3A7E60794B2,SHA256=E404691D1C82A4D589814AD7F8FAD2C1EE394613B139026621F8C29D19555692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:21.358{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C8700403AD1C61E9962E960E518782,SHA256=DCF2CEB089CE7426695C90754E724D58C666F82B1A098B619B292603DAC73B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:22.850{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38981F38FDA6A1CF5C7B1BB0550255AA,SHA256=A6F36EF89542A38D3184E0CB6EA5167EC4212597970EA098E4925F472A752F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:22.423{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A452662206A3554A3F92CEDE38152CF0,SHA256=BCEEB4E522C8FCBDA8DEE444553C63141F196594E46CE0F4D2332F492E735B34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:19.772{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61364-false10.0.1.12-8089- 23542300x8000000000000000308051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:23.994{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E580C1F9F87428AD430BA6D4A987BD48,SHA256=2249BF95542344BAF8EE8B28518ADE343FEE4694ECB2A57B7EEEA20A88A621D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:23.638{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91948A50D6E5C071D1F211C6F3C554F7,SHA256=5A42E4C39A3DF6829CB24BE22DEA612A93E5C7BA8BF289D2BB57E8CFDF9EC3AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:21.533{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54948-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000296612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.744{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A555A7B2DE8306B046A8B6389A327382,SHA256=298F5EF15046E3D11A0E2F28F25168D8275ACAB0F20873E1C4E302AD9F32A696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.710{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.704{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.699{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.697{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.695{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.672{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.667{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.654{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.649{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.641{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 354300x8000000000000000308052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:23.020{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54949-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000296601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.634{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.625{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.614{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.607{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.599{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.591{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.505{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:24.502{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000296619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:25.776{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AAA54E852B817F64FE0627ACFF5A49,SHA256=D34AADCC5F49EBDA860C0CCA1B1A1B5AC97CF428B92596D2BC6669B6F3F015C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:23.810{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54950-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000308054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:25.761{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BF43206D67B9EADFFB7254F7A4AB1756,SHA256=4B14F4B62B07BF386D7C994D823BEAF4AA806BC2CABA8F4C9B16F35F0DB6314F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:25.126{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB23D6319A3B1FABBAF330A094D7D0E0,SHA256=3BF3C3F5F68D40B04E42AAA97074355BD2EA62DA9C8618E1B28E02A85C99082F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:25.194{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:25.192{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:25.189{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:25.185{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:25.183{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 354300x8000000000000000296613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:22.620{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61365-false10.0.1.12-8000- 23542300x8000000000000000296630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.859{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6C46D19E3BEE37CF5792A28185FBBD,SHA256=E601F683A2F709F579F5902D65B7751BCFE5DCFB6575C2B5D418E19750355F2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.791{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.791{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.791{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.779{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000296625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.779{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000296624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.778{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 23542300x8000000000000000308056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:26.245{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8130CC580F127FD415958AEB6D4752B4,SHA256=213B85D4FF94ECE5C14BA883071F591932AC980E7D12E5451BF6BC065A987CD2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000296623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.774{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000296622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.774{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000296621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.774{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000296620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:26.772{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.877{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.874{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.871{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.869{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000296654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.868{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B7C1B387D64E9FA8B0547F68D29F9A,SHA256=052296C916D38A65AA211BF37618D1E370B053B0BB3120E80FF19DDBC7051FB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.864{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.861{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.859{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.852{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 354300x8000000000000000308058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:26.108{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54951-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:27.376{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39C4A6C18705CADA17687FF57F04D9D,SHA256=3D88ED55E7E5A157841AA9D906148380FC651A7E17ED5F15897BFFFFB5DF15B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.832{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.821{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.810{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.794{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.787{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.779{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.773{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.772{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.769{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.766{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.763{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.762{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.759{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.758{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.250{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.248{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.234{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.232{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000296631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:27.226{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000296659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:28.978{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC1D2303352A490A4E3DF74FEE677F9,SHA256=4B6FC5D0A5AC3936B816D4DC70BA60975591359F86A0E254499FC2ACD3F06567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:28.477{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BA89D7D7B9BF37F57D63D750006806,SHA256=856FC7910C4ED35E4C9AFDD4798E573888289366C382AD5B4C27666929D9CEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:29.509{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0895C984472A3B6B978CC676C55E5E,SHA256=6CA1C6CBA365A04966C125AAAD980C813F31FB8A68460BEDA7BD3002E476B47D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:30.645{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67328A4E21191025BD46C1AFFEA2E113,SHA256=DB0E505EB8727217B595074D279BD85F72C3A0E69B690C10F160FDEF17D8BBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:30.110{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90495D0F2F2A7E9D1E63F55F698C4E8,SHA256=D281F4032B5D4B0FEF185F7DFA583EEDE8758468D5E65330D1E0D895D3E4EBBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:28.292{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54953-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000308061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:28.040{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54952-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000308064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:31.775{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B4A091F8B4E72CD87ED27EDA56E4B7,SHA256=0CB0897D400091EC69CC0886A981FF7D3CFC1EF1E155C64BE1B069F9D914EEE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:31.352{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD3E69D8D7B0409704F2384C655EDF,SHA256=13456C3CC0570E1E80F4FD4238C8310C71794F51DE7F9970D3C77D3B67AA2287,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:28.613{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61366-false10.0.1.12-8000- 23542300x8000000000000000308066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:32.906{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5DDCF8D7D74809BD49EDFD2CB3EB626,SHA256=E10D16DC53CE3522350144B92A1A929E1A8D6B66948ACD571C004C587CCAB3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:32.424{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B457315DEF36F12DC97E34DBC46E26,SHA256=AE23491229EE51DC92375C626866B7A4BF728CEB8038773800CD55A724A868CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:30.491{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54954-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000296664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:33.557{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA20594D63D6023E99B3B2E41F151DB,SHA256=3D7C0DADC3490D21A3E69958F4668B2635A2FA263A888E8CCBE53F11DAF5AE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:34.592{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1618562396FFC9E75340B41DD21BE7CA,SHA256=1CF0E104FD8A58C631E2BE9105885B9A926E880F8728AC271B97B04996877792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:34.005{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF4311050268D36CF5A20F910E28060,SHA256=B32921E69BFDE03B88D0DBCA43A55A374A746D4A08F888A5FEED1E401D6DC903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:35.707{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA061754BB42BEAF123AB0804262C638,SHA256=D14746CDD5BE44ACE31DF3D8B000641271D71E592DF9736A082E3DF30D1AF9DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:35.995{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:35.990{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:35.982{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:35.973{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:35.966{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:35.962{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:35.960{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 354300x8000000000000000308069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:32.675{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54955-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:35.122{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F2B30CA1DD5D802209C31869336143,SHA256=3A7A4B887DE4DB6E5905B1880B4EC41ADFA506218C71066CEF7B1F8CD4D4A898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:36.823{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E3F14016B8E79AB80372C62C17F6E0,SHA256=AA018569BBC3ED6A5F80A0E0262AE051FA2C6DAD5A52B8BEB7502D58AD49981B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.522{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAE2F0BB4BB23F0012294D5100A1596,SHA256=1FD89F060DB4E11E18D7DE7E26AF054F0390F9D55038367518CE9AFC9FEDD6C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:33.800{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54956-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000308124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.224{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.223{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.222{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.218{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.216{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.214{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.211{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.209{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.207{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.204{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.201{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.199{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.197{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.190{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.176{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.174{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.173{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.173{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.172{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.172{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.162{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.153{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.135{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.129{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 354300x8000000000000000296667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:34.600{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61367-false10.0.1.12-8000- 10341000x8000000000000000308100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.122{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.118{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.117{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.114{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.112{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.109{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.108{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.106{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.105{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.103{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.102{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.099{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.097{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.092{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.089{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.084{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.078{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.076{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.065{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.056{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.051{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.044{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.037{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:36.024{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000296670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:37.937{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101C06833177DB43321F3CE358ED8A23,SHA256=2B981FD3B646636AFBCC305B0AC41E58EE0D5B84B3A5A77B827494DA6F2C5FF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:34.873{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54957-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:37.231{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEAE637EB576490B4B554DE1108881C,SHA256=86A65F0A3DD1CF717EE62D4F0E0B152480ADB825A3992F3C7E2997C2074AD977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:37.559{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=74F9F4EB84F17A44D7A3809BCBFEF52F,SHA256=DE64163380DAD05F29CDEF41B0A0B8439CB2FECD8995012690703F63F86FAA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:38.955{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6725AB56438486FA6C2FE54A1D35DFE7,SHA256=DF29C6E38038438896ECE0B7FE344EA0BA0F59A670EA88573D90ACD180FE5E33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:38.327{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BEA25688527A9AE40C0079A4AE98964,SHA256=30FC6B3A3ECC1BFB7239BAD629B70386778830FC6987BBFA35CBDA1D868CC4B5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000308135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:38.315{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000308134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:38.314{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000308133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:38.312{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000308132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:38.308{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000308131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:38.308{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000308130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:38.308{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000308129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:38.307{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000308138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:39.327{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1167C969B2CBF608AE3E532F47B04BEC,SHA256=FFEC0B8E50EAA07C24CCA3366B39EDBD026EE3A1CC1E8C684298854BF320408B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:37.160{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54958-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:40.445{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3B18174938AC26C90129A2F618DE22,SHA256=95FEE4C1B6575B12FF34AA6215F9F1BC4EB230234E42CE07EC11F417F7B2721C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:40.174{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD3948FE24A7843194671D92AC6BFC5,SHA256=CAF20F792661A857A39D0823A774CB9E9C247D463C6D8082D7BE45400A2D87A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:41.546{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D19AA7BFD0F51AE049402E446BDAB0,SHA256=CA0B2177B2AE146091B957BBF938091241A0D8443756022F6172402F4B598E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:41.404{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=95F17B43A0E160665B0AEFCB487BB463,SHA256=FDAEB077BF201CECE46F1BFB8C9DFC1F33EE7AA2B0800B155D28DD7B09D0DDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:41.204{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9EB2A0C6E811701D2ADD08E510990F,SHA256=CB824F0BB7D2B2D49D1FB0660A15F9D74D836524C973F99245E0C1C738726F5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:39.360{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54960-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000308140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:39.001{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54959-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000308144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:42.745{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4147C014D558C10783428CBBE3425774,SHA256=C80B0CC173A85E72B0C29F7B7C9AC0D63D8AC20BC89AEB2EA61E3CD30437E551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:42.661{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106CB1DF2E21299027F5D37214A32C8B,SHA256=74589BCD63B77F298F64AB11C76AFA1F529B5B729BA4A1A8FF7E38DD79FCE391,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:40.551{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61368-false10.0.1.12-8000- 23542300x8000000000000000296675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:42.321{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80A2BACAD5C31F040061A55C2AD06FC,SHA256=700F9CE52D00F6D47EE31731AE169C8DEE0C46166149CF661D722BE00DACD2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:43.962{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:43.762{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139DDDB8B9C66510BAFC11AAED04301A,SHA256=0C90A8FE2F21D34EFA465D76F0769DB282D531730EE085D60473627B2A833743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:43.454{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86BFBF94236E2AF597C627E5FF38662,SHA256=7EA92F2078F703E64F2C956F7C62AAE6DFEA7DF7D22AEDBFD5097BCC0A2491DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:44.893{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72A54E49984C99AAAA7D169EB2657F3,SHA256=D726BD48FE6AAD54777223097FE27D3FBF16947EE084D4BC0164E3AD4C316CC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.667{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.659{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.656{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.655{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.652{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.629{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.623{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.612{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.606{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.598{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.591{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.581{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.570{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.561{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000296692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.556{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F09F961FFDE085BBAD144E4940F9EA2,SHA256=EC2BE32C86A1E2668ECE1A7D6CCF63D0AC5F0EF6A7C5BF499068DB5D2133E9E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.549{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.538{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.492{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:44.490{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 354300x8000000000000000308147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:41.661{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54961-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 13241300x8000000000000000296687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.356{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000296686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.355{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0096e70a) 13241300x8000000000000000296685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.355{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b797-0xda559b71) 13241300x8000000000000000296684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.355{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a0-0x3c1a0371) 13241300x8000000000000000296683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.355{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a8-0x9dde6b71) 13241300x8000000000000000296682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.355{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000296681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.355{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0096e70a) 13241300x8000000000000000296680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.355{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b797-0xda559b71) 13241300x8000000000000000296679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.355{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a0-0x3c1a0371) 13241300x8000000000000000296678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:59:44.355{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a8-0x9dde6b71) 23542300x8000000000000000308150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:45.927{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D13D26793197AE2342F33DF15CA1C6B,SHA256=E1F6249BFA4269FB58900B635B9F32C4C420E17EDA294ED261AAD4D1F75B3219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:45.612{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8681AA69E7EE94AE7EF3C4ED9ABB13A4,SHA256=12E6978312D995CDB110832AF0F4D2278B132F949DDB9B6118E28AC470D6A647,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:43.741{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54962-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000296711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:45.100{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:45.098{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:45.095{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:45.092{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:45.090{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000308152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:46.998{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6A74AE318BAA58FC775A0C90E91D75,SHA256=F7037CCD36482E55175377C48FC51B52AF75FC23794F0ECABF90FB38D697CE15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:46.720{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D688E4FB172FC1111486370449B9FD02,SHA256=74302FD56001274007E08ACFBBAD51729BFC72F8A1CDD7106BB705859B1B4755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:43.963{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54963-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000296741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.831{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.828{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.816{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.813{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.809{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.805{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.802{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000296734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.797{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E541E085E88FFCC7BCBA80077ED73B7C,SHA256=0CED84762E18A4F354EFE6B62FF810402FA8731AA3769867BD3D6B3AA9DB278A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.792{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.772{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.762{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.750{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.728{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.721{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000308154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:47.496{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-159MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:44.888{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54964-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000296727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.710{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.703{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.701{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.699{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.696{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.693{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.692{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.690{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.689{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.176{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.174{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.157{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.155{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000296714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:47.149{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000296743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:48.788{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B941C38104106F88A4E0910CF6EDA215,SHA256=D3ADC2038A9B59CE5FA542CCB448BC739CAE6061D936262FF047899D9E8C49AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:48.511{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:46.263{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54965-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000308155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:48.047{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFB4857B3FF8FE43214503554989FDE,SHA256=C4C77A6E02E30E0F1DB5E7AF249EC34C42967DCD7E6F012750739C91FE0F41DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:46.502{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61369-false10.0.1.12-8000- 23542300x8000000000000000308158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:49.178{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9DB2EFB537DB03A2B935B26A1173D9,SHA256=5A9D42EC9D7125DAB2BF24E436CBA2F4A72682F38B250ED1E6EDAE34237E887D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:50.035{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF939DA6CA03B8A1775AE7E0A48395A,SHA256=0DE651C2ECE86ECB0B644D369BC511CDA05C322B46CAB39710D5EA55133A1E7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:48.563{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54966-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:50.279{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0FC66667DDCC890AB5BFC1C0CA5A99,SHA256=CE877FB8C707E4D66059FBF71F74546E0E84B12EEF7272DCC239C5FE0C282FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:51.273{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665D2B335CE0A2EE8DE8CEB9D37E29A9,SHA256=31EDCF98AA862D8D2C1107EA81CBB4072FD7A5F41ECA7F0AD3229910A01F7F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:51.397{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A9CE5BC2530DFABFA3B2047C669E4D,SHA256=660F3096404F5CC93CE8130C73EED1E81B22E080B4EEFD7C0946A94FAE90C313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:52.372{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBD4741B82AF9C4B23490A2365EA3BA,SHA256=29528670B2E8FBE5DD7161DDE1291A90EAF56E904D4CA2BF3CD640B0E4405328,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:50.020{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54967-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000308162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:52.509{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDC8AD895041097EDCFC8BC4331B1E5,SHA256=FB89EC6AF21F603F70C712FDCA40F4B2A9F40CF01BEADB4E63C87B82AE2C4DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.765{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BC7B378822944978A7E6B72838DD42,SHA256=A0E7D93EB26DCBF8174AEFA3DC4824E88C6F05BCB907C5129058CA043066044F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:50.863{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54968-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000308215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.547{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5385438FDFD65CE0C7F0C2171B93E641,SHA256=DB5F71514A98B7CF2905E66DF4FF9F977502EBB0F0B04932B8143BAEC6427FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:53.487{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B25CD7CF8E5D31D44E1775CCC892972,SHA256=7D8D917773BFA3825786F1C47F3BCED1A8064995FAB91BFE42FCBB2EB2CD207F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000308214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.335{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000308213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.334{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000308212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.332{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000308211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.181{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.181{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.181{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.181{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000308207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.181{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.181{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.181{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.181{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000308203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000308192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000308189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000308188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000308176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000308175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000308172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000308171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000308168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.165{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.166{F6DB49F2-F699-6305-9805-000000007602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000308219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:54.612{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7C869E6418799A716B81005B32E1FE,SHA256=FF03EF9BC5FF64BFEB49E406AD3DBD5619BC3C25208D822F89CD589CD71C8064,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:51.665{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61370-false10.0.1.12-8000- 23542300x8000000000000000296748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:54.586{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153B805154F0307F09AFB8BD7B1F8F71,SHA256=D63C33DDAFD607A2B72C723A0192927059D3B79266274E67629863669CA122E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:54.265{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F70D1E0FE4B8BC31C4B12D6C81A2CC,SHA256=58E841BDCEDA21DE6E26DFDE3C3019C9E6B3F5F499545C6D44601E6CE3521E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:55.704{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78E16DB1D20AFCABF9260F498A6CA5C,SHA256=6978AC7F298194DCEB5A88CBB6CC39A57E2C3F1B569DF575527E36B041D99EF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.994{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.988{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.981{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.973{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.966{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.956{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.954{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000308273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.952{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=56B2D4299EB744C215D83BEF03146141,SHA256=5E24F504DE694B3B9D876B383F845AF133360ED6314DE065F2BBC55C0283DF85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.827{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8089DD8DB9334D4FF8F4B14A2D7D2FA3,SHA256=C20696A880139C8D17C0CA4859B41E74A00A75A5F6529648E9AE1A8432B02FDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:53.059{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54969-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000308270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.544{F6DB49F2-F69B-6305-9905-000000007602}49363448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.544{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000308268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.543{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000308267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.380{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.380{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.380{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.380{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000308263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.380{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.380{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.380{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.380{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000308259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.380{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000308258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000308252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000308245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000308243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000308231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000308228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000308226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.365{F6DB49F2-F69B-6305-9905-000000007602}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000308386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.747{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E59F0FF8BA357A31C1C299DCFE8D525,SHA256=E9C0A68186372E2C1EE3B1D9273FF832790BF6E8CA13BA231C0AD282D55C0AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:56.790{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D49DF5844CF90B742A90497839D2D3,SHA256=8710D2BEB36F5AF905CDF1BA8FF098DCCB1F6966993B778E84ADC3D69CBC60A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.449{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523705987D728622F0B903E050A3ED54,SHA256=F91C8D3B4677B56FD1B90DF4AA7933887A7C182C599FA8F8B4EFA4639ADF03DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.262{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.262{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.260{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.255{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.241{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.227{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.225{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.222{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.220{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.217{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.214{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000308373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.211{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000308372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.211{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000308371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.210{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000308370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.209{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000308369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.208{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.200{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.185{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.183{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.182{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.181{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.179{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.179{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.168{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.157{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000308359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.156{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803D6D24F51A2B60E0082865D52F9907,SHA256=11A9560A91F900FC0B125FF79E16A6F5DC929748864C18879B1888ED57CA497B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.138{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.131{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.117{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.112{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.111{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.108{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.107{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.105{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.104{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.103{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.100{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.098{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.096{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.091{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.088{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.085{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.079{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.077{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.064{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000308337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.052{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.052{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.051{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.050{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000308333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.050{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000308332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.048{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.048{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.047{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.047{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 10341000x8000000000000000308328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.044{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000308327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.041{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000308326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.040{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.040{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.040{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.039{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.039{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.039{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.038{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.038{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.038{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.038{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.038{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.038{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 10341000x8000000000000000308314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.037{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000308313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.037{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.037{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.037{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.037{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.037{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.037{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.037{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.037{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.036{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.036{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000308303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.036{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000308302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.036{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000308301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.036{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000308300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.036{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.036{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000308298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.035{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000308297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.035{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.035{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.034{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000308294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.034{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.033{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.033{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000308291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.032{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000308290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.032{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.032{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000308288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.032{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.032{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.031{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.031{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.031{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.027{F6DB49F2-F69C-6305-9A05-000000007602}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000308282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.029{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000308281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:56.019{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000296752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:57.923{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29D57FD9E5F5BC88E11ACD0BAE7187D,SHA256=0643DF2746363BA76FC7F204935F9B980A32F3D15692E8C8412F5F497924ABB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.928{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFAA2C56E9899F2D8235AAE50AB71C5,SHA256=61AFFDDECA441F1FA18E81769F9BC73D01935EAEE53C187A034BA12E8072427A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000308445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.681{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000308444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.681{F6DB49F2-F69D-6305-9B05-000000007602}60883700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.681{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000308442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.681{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000308441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.551{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.551{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.550{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.550{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.550{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.550{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000308435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.534{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.533{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.533{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.532{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000308431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.530{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.530{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.530{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.529{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000308427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000308416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000308413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000308411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000308400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000308397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000308395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.513{F6DB49F2-F69D-6305-9B05-000000007602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000308388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.941{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54971-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000308387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:55.281{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54970-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000308545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.880{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.880{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.880{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.880{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000308541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.880{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.880{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.880{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.880{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000308537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000308526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000308523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000308522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000308510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000308507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000308505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.865{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.866{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000308498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.365{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000308497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.365{F6DB49F2-F69E-6305-9C05-000000007602}3483756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.365{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000308495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.365{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000308494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.212{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.212{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.212{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.212{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000308490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.212{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.212{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.212{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.212{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000308486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000308475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000308471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000308470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000308459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000308458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000308455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000308453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.196{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:58.197{F6DB49F2-F69E-6305-9C05-000000007602}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:59.179{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-159MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:59.039{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC72C14A211AE19A33C8DCC7B32BDF01,SHA256=065771DF3B60AADA24D7F462BD09E260C858B29D79CB9538F16C134F8E92BEC3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000308608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.715{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000308607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.714{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000308606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.713{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000308605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.687{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.687{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.687{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.687{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.687{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000308600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.686{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000308599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.565{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.565{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.565{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.565{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 354300x8000000000000000308595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:57.481{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54972-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000308594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000308591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000308584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000308581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000308570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000308566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000308562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000308559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000308557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.550{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.549{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.549{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.549{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.549{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.545{F6DB49F2-F69F-6305-9E05-000000007602}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000308550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.049{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC3AB33226A493EB9F2C509DC2A35E5,SHA256=FCA503944D0112036EEFF31944EFAF9CA0C9B16840C9BD53FCCDFE5FFEA6FAE1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000308549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.043{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000308548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.027{F6DB49F2-F69E-6305-9D05-000000007602}36325020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.027{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000308546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.027{F6DB49F2-F69E-6305-9D05-000000007602}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000296757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:00.358{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EFC435C195E008EE1768A00D0054BD,SHA256=830C6922AADBD1CE84B8E53445286D5FAF4E98CFD13C835B5F8C5241E99F9679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:00.166{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AC8C7282FE13D2DC20E649B0B74A84,SHA256=37C50A4D052EFDF51B02803930B6B3C192F78D871119C048862DCEF8022FBC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:00.166{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04524202CA6227EB2374BCD979207406,SHA256=0C18315C5C1B286E22AC1F055ACE0A262AC6E966A03E7F89A1EA9964ABCA1BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:00.166{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FBDB1BFDF064D6AF0D43E52B699FF5A,SHA256=E2BC57A4D2C2FEB12ABF8BD2B5A428B66889E9DA8CC378B9563AC8FA389EA9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:00.177{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:59:57.569{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61371-false10.0.1.12-8000- 23542300x8000000000000000296758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:01.475{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0604E25E51240069E56718EBF2D875CB,SHA256=226D0D4BB20B96F52565628889F56959C31F244EBD8B0E2D4D04F664CE88C904,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:59:59.681{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54973-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000308612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:01.283{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C89AB82B924A284BE15924B4AF3121,SHA256=6C06993EF77BCF50745D2799E030F3A0160D76D37C121910C0B8CA4319982552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:02.592{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D77C9735C06399FE8E7EE56A877BA9F,SHA256=744629C551AD0B6153B237AC8C2D2DE4B29C06660B42D4B46F9A4F381491BA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:02.384{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F53ED2E1827E1008E281D7BDA9CE384,SHA256=53B115E9762190AB6462DBD5AE4FAD7C3F73BC3A6995C17FAC84D60EB00BE103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:03.609{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0C18FF2D3D14E6CE3346E0A9EB263E,SHA256=C62296400FB1D14FBFB6E22808FB096077E89B8F7A6A20D2C188E3122B443BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:01.984{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54975-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000308616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:01.894{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54974-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000308615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:03.409{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D9E53C4EA14F9F3D00C1D49EC09522,SHA256=4E96F66059A6CB1EABD5E229B7D5079BA993A7C12C10DF353A7F18752E5D5BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.717{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5570AC947FD7039BBCCF6769345FB0EF,SHA256=02E434B762211F40F5C82F894BB78F1F8E84340AD1DE483DE2955955EA29D7B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.653{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.647{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.643{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.640{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.640{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.610{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000308618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:04.502{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D7A6337B1B30637044CD54C5CD9C1C,SHA256=58370C5719A6811FD934030AE05D546D1C35FF89CC7225CEA0B8E609E5ADC87E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.608{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.595{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.589{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.583{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.574{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.566{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.553{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.546{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.538{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.530{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.490{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:04.487{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 354300x8000000000000000296786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:03.515{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61372-false10.0.1.12-8000- 23542300x8000000000000000296785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:05.642{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7896735E9F1460BB2CB5DA6DECC2354B,SHA256=65339E44C50BC0E4EEF05477D2261F0FA56D42508574E04165BB56D145938DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:05.616{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AE43237B6299BE9A5B98A11D4DF562,SHA256=AC7DB4AA223EBA81E4B136580E1807FAAB7CF0664762A7D760E51523DC3EB389,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:05.132{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:05.129{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:05.126{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:05.123{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:05.121{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 354300x8000000000000000308621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:04.285{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54976-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:06.721{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F4C52FA66DC0604DE3D4625153FFE9,SHA256=17F876587CC25766EDD9290CF6F56F415F9A60B27991106FF871E39DB3AE51C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.892{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499DF577571D7B7788AE32B4FEF056C8,SHA256=0CCC3326D992D3BFA89EFD7A051758E7F209D0AAF99D95A1D63EAA96E69FB480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.892{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=50600E9DD4C02234C4BE84F41E2A7BC2,SHA256=2FD53F5D5D05F557E335F6CACE790971065619E8E03E10227FBA5179465F7A86,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000296885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.810{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000296862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000296861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000296850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000296849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000296844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.794{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.795{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.377{D25361F1-F6A6-6305-3F05-000000007502}59526648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.377{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.377{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000296834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.160{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.160{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.160{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.160{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.160{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.160{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.159{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.158{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.157{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000296825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.141{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.140{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000296813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.139{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.139{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.139{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000296810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000296798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000296793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.123{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.124{D25361F1-F6A6-6305-3F05-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000308622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:07.788{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0767BFCF6B4C9C5C4E79C7671B8E938C,SHA256=7B4B8BB29F20C6653C612CD7BB38C62E925E49280CFA97AD6CB54BC6261DB55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.890{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8628487791C898CAD3629FC15146B52,SHA256=8E8E7DF265414B327B46E8D9B81309ADC01D6731693304A680DBCE5E5F2B5AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.887{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF5C3AB6F0629507DA4F6F192FCC403,SHA256=0B326D4447F4649D57FE67326B0A06F18BCED0E0A81AFBCB18063F3BD4C38737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.877{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.874{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.870{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.867{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.865{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.862{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.859{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.850{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.799{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.788{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.762{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.744{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000296963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.728{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=34506A53B0719BEA62F8C3721D64EB8D,SHA256=E77E49DF385E9B498DF83000E5BD853DE5260491DE3D1B13D57874BD2AE350DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.722{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.713{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.708{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.706{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.704{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.701{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.698{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.697{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.695{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.694{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 734700x8000000000000000296952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.624{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000296951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.624{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.624{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000296949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.502{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8AB02A1EF99ADA79B8C6D459902FD2A,SHA256=8BAA8B9D8682711346DBE9BF1F01B86E3CFF5D6E35393CCD5953FFF5D34FFE75,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000296948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.487{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000296947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.486{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000296946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.486{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000296945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.484{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000296944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.482{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000296943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.482{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000296942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.481{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000296941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.480{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000296940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000296939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000296938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000296937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000296936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000296935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000296934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000296933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000296932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000296931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000296930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000296929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000296928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000296927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000296926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000296925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000296919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000296917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000296914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000296913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000296912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000296911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000296908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000296903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.461{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.460{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.456{D25361F1-F6A7-6305-4105-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.241{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A72BE5639F5F4AAC232153B42B1148,SHA256=E6193A8B62C493916F7FB0B2BEE1509C7A33F71E397581569BAFC70D3922C186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.180{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.176{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.163{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.161{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000296891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:07.155{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 734700x8000000000000000296890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.992{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000296889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.992{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000296888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:06.992{D25361F1-F6A6-6305-4005-000000007502}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000308624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:08.858{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C8C4A57776FFF0C797275DADB297C0,SHA256=EAA4F6B8A996E397A047B44D9964F5BEB577BBE1930A842C608CD4263B654671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:06.552{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54977-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000297078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.940{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A711083BB1D21A0D2181F33B0474D35,SHA256=2D2AB70D64BEEB50223B037AC89DE405EF63AFE88581E4DE49D1D026F0D5FBF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.940{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC32315D8D24A7F71C006E0B20D9684,SHA256=7723252D895C9873501F6E6786D63DF9E69574156351027F2BA5751C4D58D752,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000297076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.839{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.839{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.839{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.839{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.839{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.839{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.839{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.839{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000297057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000297041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000297036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.824{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.825{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000297029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.341{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000297028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.341{D25361F1-F6A8-6305-4205-000000007502}51167152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.326{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.326{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000297025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.162{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.162{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.162{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.162{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.162{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.162{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.161{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.161{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000297006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000296999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000296998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000296997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000296996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000296995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000296994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000296993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000296992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000296991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000296990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000296989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000296988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000296987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000296986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000296985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000296984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.140{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.141{D25361F1-F6A8-6305-4205-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000308626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:09.988{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1084143213CA845FEDE8B5121660C04,SHA256=1FE82E340CE03B79C07A98661532CC2914B24FE7FFC90C509C6C64C8CFA59269,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:06.929{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54978-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000297133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.693{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000297132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.693{D25361F1-F6A9-6305-4405-000000007502}50724852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.693{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.678{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000297129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.518{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.517{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.517{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.516{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.514{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.514{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.514{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.513{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.507{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000297109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000297094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000297089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.494{D25361F1-F6A9-6305-4405-000000007502}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000297082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.009{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000297081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.009{D25361F1-F6A8-6305-4305-000000007502}66241960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.009{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.009{D25361F1-F6A8-6305-4305-000000007502}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000308628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:10.957{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD1BD5869E06B63EAC553B4B824A039,SHA256=EDB768860A569E479322AD99AF82959669AF9CEEA985F9507082640DAAA87A31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:08.835{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54979-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000297135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:10.078{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9FEFF63CBE7978F7FB67C2791B0E8B,SHA256=A64A84165CC25D6E0C8CCC200EB201721EE22C940726662FB42DF9F7A884C91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:10.059{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F6A693C62E452FABFBE499F37F335C,SHA256=2D28D88B87D97DDC472680FEFDC2970C8A20906120AC90DDD2ADB2F42ECC9B70,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000297190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.779{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000297189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.779{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.779{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000297187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.594{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.594{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.594{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.594{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.594{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.594{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.594{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000297173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000297155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000297151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000297146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.578{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.579{D25361F1-F6AB-6305-4505-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000297139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.040{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000297138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:09.040{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000297137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:08.556{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61373-false10.0.1.12-8000- 23542300x8000000000000000297136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:11.093{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A411A2E3F3029BB497925CC77029E9,SHA256=4BF3154B4FC036C0F52472908979E3772399AC2D4E5E145AD9499D36F9CE9C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:12.794{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5975C15755FE114679DBD1E061056899,SHA256=3672F0FD2E4982B383325C1A3C88D6194320667B34967D347841F5BC75BDF27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:12.794{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D490D9601953801CD41BC65FC630805,SHA256=F22448A8595720854C8489F24DE88648CB979B7887DB6BB7BEAC6AF26F8E4726,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:11.024{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54980-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000308629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:12.039{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92033DA530EB27A07E978C15D450D418,SHA256=74CAE2C1C9DA2CBD309AB17EAE2C36B32E408986D00F7A8BE1B1C89DF94E2525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:13.894{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B950F166F7D743E4C110EB709DD57E2B,SHA256=29CDFC5734F287EF8C202F59B570B136E288779DAA1DBCD7F949BCBE04B957E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:13.156{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631E9B5771DD3114169AC75A69FE0D21,SHA256=ABC6D413CABE57EBF91A2F10FB525B1EE5FD37007C1E8A8F511CC2B9C0F80629,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:13.210{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54982-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000308633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:12.918{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54981-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000308632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:14.276{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F7F0C8981DEC3A02E8260AF428B23A,SHA256=C0DD668FCE613E34BB6B9DA67B5C896FE4C2357B764054789DCB02BD93445BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:15.240{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29D2A57D6FE16235381DA4E7100FF5A,SHA256=82CFF5CD7562C69EE47185F0A14B2D9B99E99B988D85EA47B620FBC6C22F41F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:15.997{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:15.989{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:15.981{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:15.974{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:15.967{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:15.965{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000308635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:15.391{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D281A76F0F9A4A6B09E5A82640FBDF1A,SHA256=BDA2EE3389AFA00053B515F873BC703162E148CDBAD5E267033684A603017444,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:14.602{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61375-false10.0.1.12-8000- 23542300x8000000000000000297195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:16.358{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAD6597BB299081DE5032D476397CD9,SHA256=1D7A0F607096CD0D21948AE212E4FB7CFF9B6061C811020564D9FFBD07133EB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:15.490{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54983-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.491{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9267C52E8DB79743E6E052E65258C4B2,SHA256=DF1E9B8A6F6D361A49C2A5D5E8CA72884E64E135E021FA6C13CAF32F50689CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.338{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0788F5279CFAC3E1B8355E7DE1B7F82A,SHA256=A7579629262CD8218309568FEA6A85A45DF4B2AE14E75053AC3B7FBF11BFC10B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.253{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.252{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.250{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.247{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.245{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.242{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.239{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.236{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.232{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.228{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.221{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.213{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.211{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.205{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.190{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.188{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.186{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.186{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.185{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.185{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.172{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.155{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.134{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.128{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.120{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.115{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.114{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.111{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.109{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.107{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.106{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.103{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.103{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.101{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.099{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.097{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.094{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.090{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.088{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.083{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.077{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.075{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.065{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.058{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.053{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.046{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.038{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.028{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000308642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:16.001{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000297197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:17.377{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3EC5CC67EE6EFE1A1DDB340014A4ED,SHA256=028420F4F76C9E5AD663B103980D045C21F1420468AEA5C9CBE41C32F151DD79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:17.622{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282554A003AE394F1A97611A5489ED8B,SHA256=886CAD053C4F57CD1059EF34B49A37793B046187E72ABCD24E08D93A6D6739FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:18.393{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF42206031286E7BCF0C3EBABFD18CA3,SHA256=DEEEC899B561D21D40B0DE3A81A43843A040C7BD4E40D2278CB559C500286413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:18.738{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687B47FBAEAD869460CD95314C2F4A30,SHA256=D013C0C73A73844501015649EC00E7F4B2CC97E26D5070692BED596534C351A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:19.524{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7E399EA665654CDD7B46D0AAED6D10,SHA256=F37E069B8AAE7CF93221051B231A8826ADA16B857F3A6FD8A92774B4CC94F21D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:17.775{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54984-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:19.839{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069428F7BF8F645973EF8A18C1CC509F,SHA256=39C7666025E06C8F9169B5E26B9FABF001F013B293B54C38871181B88A26F89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:20.948{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97E1195F4984BA370C2630F72CF749A,SHA256=BC90BF8169CA15867407B132136C9EC2842C836D61F02A1D3F8F56BE06975405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:20.611{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AF11ADD91DBB3342BFCB43C3148EA1,SHA256=CABC8A55A4B786297B76FBC7E9EA5C9275E37468EAE987564CD6DE88163C244A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:20.355{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:21.726{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B160A6A212E5E1B9DFAA6B20F95C8F5D,SHA256=566A31E92A30487F0E4C6E0CED8DA8ED833CD79C16C42B709964586C58958DB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:18.817{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54985-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000297202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:19.672{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61376-false10.0.1.12-8000- 23542300x8000000000000000297205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:22.842{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7932D61E9918398181D996B0B4D0D412,SHA256=7EA9FCD66809255FAF473F541C1965D5F7D021B8E182921976FE29DC1DDFFF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:22.076{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E168549FB67AB80FBD0C63E1D4E9336,SHA256=847CD02A990E43AA225ED2D0360C43EE252ED9944DFD8FD1E510684ECE5713C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:19.796{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61377-false10.0.1.12-8089- 23542300x8000000000000000297206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:23.941{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBEE19E24960DD7DC58A7D011547F09,SHA256=85DC3B42543FBADB3A2146F02DA91C68AC2D2AA3781058CCC524FD30E6D920AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:23.192{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11705B4566C11B09810EDEC8920EB027,SHA256=D600C48413718B879EBF3693A4B5394F37F3C6A0372BA7310D7B7B60895635B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:19.991{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54986-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:24.322{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0796F1F417F7FA4DA255CC52EA063E4C,SHA256=81AFBF06AB2C37E9DDCFAC3C71F38310872D9BD79ED378A7399E3199C9B6A4D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.714{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.703{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.698{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.697{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.694{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.670{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.661{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.642{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.634{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.622{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.609{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.594{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.579{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.570{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.560{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.553{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.489{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:24.487{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000308703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:22.192{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54987-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000297230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:25.166{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:25.164{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:25.161{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:25.158{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:25.156{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000297225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:25.109{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9FEBD940E3D917A063F7C2F5BB45D4,SHA256=0BBC1AC02717AB6BA6038920DA6F21CC14258BD63DA1070AC6CED3E49D48A384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:25.455{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507A2084657A794182DAF9245D81AFAD,SHA256=9B661D01DFC36AB3604DD72981D13A2B94702E2AC8737D91C6FE686B7215217E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:25.357{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D64C17560D70E267314E56A4DF8044AE,SHA256=8190104D1D4B63561651E6F2E03EED3A83A3DEC391B66C4F32CFC418C0A70827,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000297238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:26.778{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000297237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:26.778{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000297236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000297235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:26.773{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000297234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:26.773{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000297233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:26.773{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000297232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:26.772{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:26.182{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE913D4E503DED19B97D9F672DC06019,SHA256=390EEDDC64C3CFF4E003A469A6842433874C2EFA708C4F29790CD10E1089D584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:26.456{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE651885C0F4ABC2FAB472AB5323358,SHA256=797AB799F68CF3402B1E0F69B5368E9FD6B9D387A87E9471B9C9A87BE13A387D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:24.491{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54989-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000308707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:24.048{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54988-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000297267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.910{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.908{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.904{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.899{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.895{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.891{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.888{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.872{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.844{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.835{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.819{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.793{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.787{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.779{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.774{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.772{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.770{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.768{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.766{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.765{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.762{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.761{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000297245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:25.522{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61378-false10.0.1.12-8000- 23542300x8000000000000000297244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.266{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE407D58DB6AD5997E5D7C416330A55A,SHA256=2B7FDD0ACA4852C3D19EC6CC6DE4D4D1A748FA9B6B475B6062CFF242DBF2E293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.254{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.251{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.236{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.235{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:27.229{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000308710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:27.555{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6826671244E5453B2EB377681632687,SHA256=E537D71BB03B0C63936B9605BA3D04F4F9CA18B2DCFD5E3AFBD02CAA79F89044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:28.797{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1204E9304E4B1620ED032675EAA36B,SHA256=B2E6CCCD52177349566410FD0E6F442B5E7C3446F0479AC66AC996E228C3D606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:28.674{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421A74351C0A0CFDDE3A5A8BE6386A7E,SHA256=B7CA87071DAC8D7AFA71D90D276BD3D00964961FCF64D26561E3EFAF1E446D86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:26.771{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54990-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000297269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:29.944{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB097736D8F4F4A43983D4B8522D4C1,SHA256=6DECE27ADAE3903082BEAF29797422A28D3037BA43F4F70D49875D84A25399FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:29.789{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972560C3DDD42F4A8A4E46DA884972B6,SHA256=164DBD464699486E5FA99BE8A9BA1CE46A2340F12E20F06CEC803379A9569415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:30.889{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757E2F3396AE8FA68C7FD9C92A5C5AD7,SHA256=AAFA7E6DBF7C85A481DD7D0C131F2A55A590742E535529AFC569F4DF786C2BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:31.974{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181BB8B06AC265B1991B5A2C2DA6F211,SHA256=FEF51AFECF1FC5B91945B7055982D0AB6A1598B3EB38BFEFB774CC3633BEC696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:31.061{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD1AB12DD311A3F69E373D48B1B7C18,SHA256=39B0414255CF97BEE2BE14970B5E86F8C4C23F741674442CA30DE375731BF6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:29.068{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54991-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000297271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:32.142{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F711BDC35EF15DA390F2A923B03A70,SHA256=C4E11518D3478A0A7C48705AD5B5631D62DE0E4EF688E8E49D69C92185A34ACC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:29.999{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54992-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000297273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:31.542{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61379-false10.0.1.12-8000- 23542300x8000000000000000297272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:33.258{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374816C7DD8F3D6F426819DB02A51604,SHA256=B5B18A6613AAFE115C2E5E85A6B8C7EF69BB73971135089EFF3EF277C0A7FC6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:31.353{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54993-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:33.104{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E0F720969B97E7AC86477C3BFEB5A1,SHA256=49DFAEE8A55C37364DD3DD7FB02DF01ED196B64CFE59C49BFEB0EE4BD0BAA3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:34.280{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F84A47FA3B3E3D4C56509621EB3C2D,SHA256=7E6C488A031B22EDB7E28BBD2F104CF4A34559CAC1472B85D68D42D75D215C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:34.210{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7FA79A82481EFCC3318A13AFF439EB,SHA256=1EBE274FDE2CA4BCB8692B533ADA45D2BE328546BAFB6076BA97F8F6D6B5E5B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:35.394{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEDC69BF64F3A88B0A38137AFE367DF,SHA256=66DC4975DB30244B0D5A754027691D2A8409E260BB3690D9B053B67C6AFA4A00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.992{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.985{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.977{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.969{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.962{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.960{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 23542300x8000000000000000308721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.289{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88223F927D77AB46CA1695AF06F1251,SHA256=225A7B0031C8CF0D06A7FE315003E3A6CE039564DE69255A903C3FE8F168DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:36.479{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831FA31E434D3A9C30DF0B47D5C9773E,SHA256=DF80AE13C64233C15C35A97BF4491553B32BEAED934D262C503818AA0BCF7024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.475{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019275FB62CAC44E6150473E01AF750A,SHA256=B66183D4A9C91F9660F5D4006F08EDAAB77C704FA0895CE3D9DC1E6057F82F32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.313{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.312{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.311{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.307{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.305{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.302{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.300{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.297{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.294{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.292{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.289{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.286{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.284{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.274{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.258{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.257{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 354300x8000000000000000308761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:33.635{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54994-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000308760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.255{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.255{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.254{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.254{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.241{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.231{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.210{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.204{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.195{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.190{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.188{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.186{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.184{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.181{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.181{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.178{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.177{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.176{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.172{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.169{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.164{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.150{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.140{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.122{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.083{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.064{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.055{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.045{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.036{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:36.024{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000308728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.997{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 23542300x8000000000000000297278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:37.892{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=474D95DEE50FA4EC30186CEBC6302FC1,SHA256=1E0D6CA98A6CED07736B484662FFB4C70706BA5BCD5E116FD2BCC18F8DAC6EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:37.594{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D62DC21274E04BEC805BCD5FA7F6892,SHA256=4FD768F14625BC438EE3EFEF55BF08D5E758468A6D4AC61FB8C9CB023CE130AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:37.360{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2256641839BC418BD4494775D21519EA,SHA256=C44123D8A824D21758C04B73388FA508FD398A3E4420A841EC745D080A4A168F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.909{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54995-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000297279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:38.708{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1E3160F1FC4CF973640AB2307E6E32,SHA256=48E70F7A022FF40598782B119ABA2D63ECF0C9E17FFD9FA363E0574FD1108597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.439{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4C47EBDF6B2A5B6DD8843A680CBFA3,SHA256=7CCC6E9DBF1C503B0208251642079571FE8AA631E4C154060557D60F1FB12185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.323{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.323{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.323{F6DB49F2-D01C-6305-0B00-000000007602}6241224C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.315{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000308787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.315{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000308786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.313{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000308785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.309{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000308784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.309{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000308783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.309{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000308782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.307{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000308781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:35.922{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54996-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000297281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:39.839{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D013E8D54DC757C62921B73E583127F4,SHA256=43E38B764A25816891C18EB78E3AB94E53BEA20072BD06E0B63DAA8E4C94513E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:39.557{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF82472D8F9F6CC1A6A594F6A6A3B4D3,SHA256=8EFB5FC8965C840AFAF3CB5AA571B74B7A16A37ABE363C3B417B4A5CCB6942AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:36.719{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61380-false10.0.1.12-8000- 10341000x8000000000000000308793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:39.314{F6DB49F2-D01C-6305-0D00-000000007602}7686032C:\Windows\system32\svchost.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:40.925{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0EDB46D7AD4F3E707C46A7E0B24452,SHA256=A3422277E8B879DD9379D45377B4EC47BCCF3A769C540AEC5A57551DAE7A14A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:40.677{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA76AA7208FD99B8AC60D2E2C3BCCAD8,SHA256=C3CBEEB469F704C4AAF6C153D82308BBC36C62E627A2A6CE95F23397CF3D459A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:38.106{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54997-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000297284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:41.994{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51C2123A3A505881A5F07B1C8C458D0,SHA256=8A22EF71E1902CDF6C5D842460E6F55FC38790E472B5FAFD3C118C31B252910E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:41.823{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10112003E001F2BB3E66993727CD97E2,SHA256=452C5403419CE6FA3D98A0F389CF40048CE59C8FD016AD6765E92217C31367FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:41.407{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=376EBF382304EEF7F2FCCE9693D0F725,SHA256=AF078B00F5E9F57208FF225AB7670957D8CAC64B4B6879D8EDAAC182C38A6EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:42.922{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6B306847C79F43C4BD6403FDBDCB5F,SHA256=83D1DAD84ED2F76C75D6530A42D662FD115D27D6BA25D21BAE40812FDF64A8CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:42.755{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D20B44DF7FFA69975301DC4B9DAFA6D2,SHA256=3769B1AD7BF091F2483CEFE137D8B92AE3A3F6F3B84475F629BF146EFE1D7327,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:40.971{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54999-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000308799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:40.292{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54998-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 13241300x8000000000000000308798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:00:42.092{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8b7a0-0x5ed25051) 23542300x8000000000000000308804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:43.991{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:43.991{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2D6B6EA06FF00F453B70ABF8B09888,SHA256=1BF4FCBDD53B51C860EF3A224B02641D1F39BEAA3920B8D3B6D6C93D103915D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:43.091{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E14CE5A698277AED8E9E897899159F,SHA256=8B7EB38F083E9D2DA650033679E52DC419713E9B4675989E603B806BEF9BC6C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:42.499{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61381-false10.0.1.12-8000- 10341000x8000000000000000297304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.652{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.646{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.642{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.640{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.638{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.612{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.606{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.593{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.589{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.581{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.574{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.566{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.557{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.550{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.541{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.533{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.489{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.487{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000297286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:44.121{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045F5266A3279D27ACCD749DDD6DC438,SHA256=6C8E734B3D04D04519C653DDD6483DAD84A48FCD8C8BEEB454363D1FBCD3AD3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:42.591{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55000-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000308805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:41.869{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000297311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:45.391{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375CE537392F602AC21DE73EE9A1865B,SHA256=98C8237C7C257B5B94C2848D9A7042B7CEBA1A880440469E59D224BBCCF0E9E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:43.770{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55001-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000308807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:45.081{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E929DB9F7DCCF0B3A0B7B35A7A6EF4,SHA256=A9597FDED3C302890747C310F4109229F01587DC7CFCEC2B7C12A85EE743B9E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:45.110{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:45.108{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:45.105{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:45.101{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:45.100{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000297312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:46.537{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88E90A05245A42409783187475F0EA0,SHA256=C7F6485ABA660D7E61F40F0C678F02354BF5CF316B7171F4A42CC026FDFF1F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:44.791{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55002-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000308809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:46.112{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2627433E74807B8A5F401F7E70C2DCE,SHA256=A0C30BC291A3E148D8ED8F38F3280D06CE6DFE02937C98DE28E6B66A9735CC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.978{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627A82EA9AB0F2956FC27A63387B89AF,SHA256=8E70FC3A59882A5FBF3FD3864EBC280A208D3D6424552443470D84C83A763BBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.831{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.829{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 354300x8000000000000000308812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:45.992{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55003-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000308811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:47.229{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4C5E64AF6040D7A8B2E957853DFD32,SHA256=09491458B24C9E502D87F79D112E82A0D7C65A9565DD35CFE18ED17E63918F8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.824{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.821{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.816{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.813{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.810{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.796{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.773{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.771{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.770{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.769{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.769{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.769{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.769{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.769{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.769{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.765{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.752{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.731{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.724{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.716{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.711{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.709{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.707{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.698{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.695{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.694{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.692{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.691{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000297318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.637{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A819EA19CBB3F4C54ED0100469319AA2,SHA256=D46BBB261906972AF517F9792B585EF25BF8BCEEFF801E35C745B704EBAA0322,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.183{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.181{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.164{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.159{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000297313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.152{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000297370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:48.775{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40211AA0FE594F6557B6CDB98FA9342D,SHA256=DFC6B1E3547002D30CE19E820CC0C8C3EEBA0DE4BBF96A066E36A1D8F93DB9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:48.244{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEEE2E4F17DCCDC0335E93AD911F6B4,SHA256=F300F351C1B7C3E6941AF9C934B31041F65BDC080374E71A27700020F41A920F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:49.905{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368338D6484BE28CFB6C320A8A92F276,SHA256=E388869B52A54C5DD66E8C9D8C03DFA35EC56AB5F09CA77BD91DE63A9E9B754A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:47.059{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55004-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000308815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:49.262{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889D7863C4F34900D044275698E7B681,SHA256=1C87DEDA702D771832BD5D1D772553D5D5A090C87D5591FE59A334E9C863538B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:49.032{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-160MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:50.364{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5641F0D18D2EF311C978E112CA6F0B4E,SHA256=5D6A2786606CB9C966536709ABBD914210876BFD9E2A98975F7B35909B820C5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:47.568{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61382-false10.0.1.12-8000- 23542300x8000000000000000308817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:50.031{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:49.364{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55005-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000308819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:51.399{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523EE155033E8D71878AAB175AC631CC,SHA256=5FAC45BD8925D211500DB1EDDA1B6E62A4A13E3F58EBD910CF81B961AC9670F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:51.036{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37317905E230FFF3BF308B64138DF12,SHA256=D0CA12C38177A2187B0CCCF592DF4606D70B6D6B1E3DD9BABE6842AA44B50FAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:50.993{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55006-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000308821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:52.537{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE014B7DC5281BE3CA133B5FADB1E3F2,SHA256=6BE8E96EF9EF23D0BE500DD7C6DE11750B93ABBBEF764239DBAF17C6E92CB583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:52.073{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E226AACA530DC7A98FC9D3F6BBE479,SHA256=81D1809D6AE17E474C09122C0CCFE3F8582150A7BE53BEFBC078BACED76416EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.683{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359687619D7715ACC5C620D52098B337,SHA256=8EA559437A8AD2AD94C948E693F425F5D5C4515A3DE09DC90C3A798A2098715D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000308874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.683{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6CAF868B010BB9E98ED93E01ECECC90B,SHA256=1B745D3513165FAB0A62EA168CE82B721B40A27013D4169A8171728F526D653B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:53.191{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D602DFE18249BEF351592F66554F59,SHA256=4BA9F0237509BB9817F4488ACAF1CED8B720E32D90489D61913EC50A781910D6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000308873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.359{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000308872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.357{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000308871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.357{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000308870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.183{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.183{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.183{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.183{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000308866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.183{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.183{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.183{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.183{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000308862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000308849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000308848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000308846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000308835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000308834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000308831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000308829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.167{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.166{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.166{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.166{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.166{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.162{F6DB49F2-F6D5-6305-9F05-000000007602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000308878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:54.733{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58D4D3E9CBE813280E4EE2E7B0CBBBB,SHA256=822569811DE2617A349549AA4D51D2F212E2D8CF7B09AF04AA8E0E31FCA42124,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:52.571{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61383-false10.0.1.12-8000- 23542300x8000000000000000297376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:54.221{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D6195AA342598D0E97DFE123710BC1,SHA256=68D30275B5DEE4949E45F13EDD09FA647168AF692A48141926F5D3A54DD8487E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000308877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:51.545{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55007-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000308876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:54.264{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597BAEEA503799851A2A0D002FE4709C,SHA256=A22373D8C87C177E04EDB8BEAC6008FA1F66D48AF4B52FF6E13864384ADAE4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:55.536{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00C393452BE3B9C964F68B52CD28E87,SHA256=22BAA242078FED2A56FF23296782F9B803A753F384B3619D7194EF92CAA0F477,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.992{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.984{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.976{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.968{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.959{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.956{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 354300x8000000000000000308935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:53.744{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55008-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000308934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.605{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=252A1BD6E7D30A322A747D76F89871C3,SHA256=2F35359A4C90DB63C4CB6D806C79749ED3E18AE7D3A3EC5E2E585CA95F175A89,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000308933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.566{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000308932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.566{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000308931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.566{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000308930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.397{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.397{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.397{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.397{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000308926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.397{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.397{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.397{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.397{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000308922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.397{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000308921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000308909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000308900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000308899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000308897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000308896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000308894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000308893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000308890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000308887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000308885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.382{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:55.383{F6DB49F2-F6D7-6305-A005-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:56.620{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A2604D7AB344609B14B82007894B80,SHA256=4C9CFB563998E498A923D700FCCBB03C9B80285D7FAC5D5BBB0F8A20EED23648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.393{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F07A510378CD19856F36DB1E0D2F354,SHA256=57A877FD4DD6F94756FD326D875B27D499FF6C2B21A74D8AF9C85E542D9FB629,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000309042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.379{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.377{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.376{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.369{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.367{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.364{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.361{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.358{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.355{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.352{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.348{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.344{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.337{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.332{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.308{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.306{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.303{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.303{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.302{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.302{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.288{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.274{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.253{F6DB49F2-F6D8-6305-A105-000000007602}9606116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.253{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.253{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000309017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.250{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.242{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.233{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.226{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.224{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.217{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.213{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.202{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.200{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.198{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.196{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.195{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.193{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.190{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.187{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.178{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.174{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000309000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.167{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.158{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.155{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.127{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.106{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.100{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.088{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.079{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000308992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.066{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 734700x8000000000000000308991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.049{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000308990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.048{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000308989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.048{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000308988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.045{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000308987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.043{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000308986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.043{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000308985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.042{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000308984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.042{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000308983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.041{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000308982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.033{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000308981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.032{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000308980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.032{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000308979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.031{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000308978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.031{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000308977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.031{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000308976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.031{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000308975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.030{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000308974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.029{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000308973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.029{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000308972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.029{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000308971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.026{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000308970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.026{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000308969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.025{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000308968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.025{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000308967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.025{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000308966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.024{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000308965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.024{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000308964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.022{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000308963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.022{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000308962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.022{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000308961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.022{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000308960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.021{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000308959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.021{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000308958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.020{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000308957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.020{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.020{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000308955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.017{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000308954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.013{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000308953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.013{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 23542300x8000000000000000308952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.013{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7970F2B2FB429DFC9956CBF3AE24AE,SHA256=3EB2AF20F0A12CE9EB29EA815D922901F5C62535BE148ECF711124A29FA9FD4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000308951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.012{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 734700x8000000000000000308950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.012{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000308949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.011{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000308948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.005{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.007{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.006{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.006{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.004{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.004{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000308942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.000{F6DB49F2-F6D8-6305-A105-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:57.853{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F309E2B2051561DA99D771273C1CA6F,SHA256=509DF458070113A22D0CBCEC292D18498F0CA84E971B0D88D7BD32FF049CC140,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.045{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55009-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000309102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.731{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000309101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.731{F6DB49F2-F6D9-6305-A205-000000007602}46045828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.715{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.715{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000309098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.613{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.613{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.613{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.613{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.613{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.613{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000309092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.547{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.547{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.547{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.547{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.547{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.547{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.547{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.547{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000309075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000309057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000309056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000309051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.531{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.532{F6DB49F2-F6D9-6305-A205-000000007602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000309044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:57.084{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A58A93CF3C682FFD883A300EE808CB,SHA256=DA70CD3576F13DA12E76AB09234FD48F68911C299F5C0D7B7531216AEDD69798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:58.952{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83F880291DD5A2634EBA73C40E41397,SHA256=406492A93B84CAD1A5C8621809870DC292BB67CE65629CF210B63DBEF15AA0A3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.887{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.887{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.887{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.887{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.887{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.887{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000309186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000309168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000309163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.871{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.870{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.866{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000309156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:56.893{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55010-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000309155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.667{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB6BB5357D166EDDD6CBB93B0B02144,SHA256=57BB05D90AB5A7CFD1D86703983F2D1185D6379B54095059C7647DD2C305CB3E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.387{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000309153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.387{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.387{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000309151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.218{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000309137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000309119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000309115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000309110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.202{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.203{F6DB49F2-F6DA-6305-A305-000000007602}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000309267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:58.334{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55011-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000309266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.761{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000309265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.759{F6DB49F2-F6DB-6305-A505-000000007602}61284804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.757{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.756{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000309262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.728{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.728{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.727{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.727{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.727{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.727{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000309256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.572{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.572{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.572{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.572{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.572{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.572{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.572{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.572{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.570{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.568{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.567{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.567{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.566{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.566{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.566{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.566{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.566{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000309237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000309221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000309216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.550{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.551{F6DB49F2-F6DB-6305-A505-000000007602}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000309209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.349{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF429CDBE430D8FE74F44A1C40CE310,SHA256=BA37988C77AD8EB1A6F004B80C6C3168EC235CFD761EB52A1FAC162D38DFB05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.334{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6C1530899A5A0A2DC0CE4D66CA0693,SHA256=3AD3A825A9CF0A1245F543219F85E019AB4C3D8495B0061A1EB570773D8764EB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.071{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000309206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.071{F6DB49F2-F6DA-6305-A405-000000007602}56525088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.070{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:00:59.070{F6DB49F2-F6DA-6305-A405-000000007602}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000309270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:00.470{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BF66F5ED05F9FB346B79187793256B,SHA256=12BA8CA4EAC2FD5173726B8C741001AB19044E0FFE01B7947E318F86B2E9387A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:00.468{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA65633DC0D39F7A8199364C0E84FCE4,SHA256=E52F2D73C592F8575F3A65D8BB1EEB2C42553A4196AD2BBFEC762C752D163C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:00.705{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-160MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:00.086{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4815E7DCF2248C949C047EB036708D1B,SHA256=0127ADDB5989AA448D6BADF68F7202D4CB4EB4E54438525A0C4557AAA93D1115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:00.034{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA52A190C49E37BD97DF8939C599B878,SHA256=FA5C075A998DC5C9FCAC05E9CE8B11B0CFB8A09AD7042F578D81D4394D0C4FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:01.587{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B6E1C406BDD32210538F7D059B3DD5,SHA256=F3B9D180AB1EE844C8EA8E986FA22BF5FCE52C0319F686CD7F701A632EF7E750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:01.706{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:00:58.613{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61384-false10.0.1.12-8000- 23542300x8000000000000000297384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:01.187{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF57244569CFD15789F1B913568CA68,SHA256=00F531273BDE13D9E0C4B7475976F6B17A697900388C73C8A80E4A574BFB6D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:02.704{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E1C89A8C4B539447A411D81E4CB901,SHA256=E4F5C71BEC5B282BFD94553C4F8D98CBFD9DBDAA1082AA8484F527FBE5F3C0FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:00.521{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55012-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000297387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:02.259{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676F1FBBDD1539CBDB69E9E61D2B00A4,SHA256=D9A50E1BCA816A5BF223B9170028F201D33D38F961FF75561BE3EA23DCE1300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:03.827{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE08140E682E3876B269E1EE7EC30DBD,SHA256=97C738780A9AF3464145F6C29B1DE9FC248F55B154B15247B831BC8B5397C3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:03.356{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC33BB274EEC446A83C50B07B133E527,SHA256=B7591DBE8209154384F45518C9F9E9EB306BAF88C87A05B7D7F7E94C759E8AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:04.922{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1170007F6B843D1D3C033B4F5744B344,SHA256=C5DB4F7AF575358CBF82896004C94A9AEFA680F26C89E04B953F6A6897B7E0D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.740{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.731{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.727{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.724{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.722{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.684{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.677{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.659{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.655{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.641{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.627{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.614{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.598{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.584{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.573{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.559{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.497{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.493{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000297389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.478{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A78E8DD8A9A4CE2E5C1E6208A2FC051,SHA256=4B5A01EA0217878DBB67424982724935B1F15D3131EC51797C1273E9C1988457,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:02.883{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55014-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000309275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:02.703{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55013-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000297413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:05.623{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC29FE6C5506B397B34559B6417BD74C,SHA256=9AF3E1F5B349B3BA3ABC2CA292F54208A6E170EA65A768EF1E89F51B4B7D0B44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:05.167{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:05.165{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:05.162{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:05.158{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:05.156{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000309279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:04.984{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55015-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000309278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:06.037{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3721C60C53DBF91F64F25CD00AB486F,SHA256=528E4AFBE57EA32B488A21AD71BE050BACA0F65E9CC902F03CE4FAB07D722AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.861{D25361F1-F6E2-6305-4705-000000007502}66845012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.861{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.861{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000297525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.812{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=19622A44A655FC49C986D5473FCB0E13,SHA256=0B3E88A72CD6DBC1E4F532939C1D85C1A98623EF00B7A70C60CAB2F1641C1537,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.781{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.781{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.781{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.780{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.780{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.780{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000297518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.764{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FAAA069D8CBA51370C99A232DAE097B,SHA256=4243E029404FE92B56B87D9364901E32DFDEAF15F0E0D0A4AC2806355A878785,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:04.568{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61385-false10.0.1.12-8000- 734700x8000000000000000297516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.659{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.658{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.657{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.656{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.639{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.639{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.639{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.639{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.639{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000297507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.639{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000297492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000297480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000297475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.624{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.625{D25361F1-F6E2-6305-4705-000000007502}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000297468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.361{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000297467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.361{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.361{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000297465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.161{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.161{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.161{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.161{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.161{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.161{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.161{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.161{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000297456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000297437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000297434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000297433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.139{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000297432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000297430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000297428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000297425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000297420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.123{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:06.124{D25361F1-F6E2-6305-4605-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000309280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:07.140{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BCCBF722E5EBDE8F8B32E3FD69ECFF,SHA256=9C0FE0428C2E3563C598023B605628C5153C74F29C3769FFD7111B29F04ABEF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.851{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.848{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.844{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.838{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.834{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.826{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.824{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.814{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.795{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.788{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.779{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.759{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.750{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.733{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.726{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.724{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.722{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.719{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.717{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.716{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.714{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.713{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000297586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.556{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000297585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.555{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.539{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000297583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.457{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92145284AC6E449B548A55699891CF32,SHA256=0B159F5DAA303955B6BB14A2987D76064C773B2E36D92EEF28A8D23DE086556C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.456{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA051E530EE50708A8FD12958BB4CDFF,SHA256=03A1E334E1BEF7CF4A9E0A68DA2EE9C12466FAFC18732953A916FCF03725C865,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000297581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.352{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.352{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.351{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.349{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.334{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.334{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.334{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.334{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.318{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000297562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000297546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000297545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000297540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.303{D25361F1-F6E3-6305-4805-000000007502}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.210{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.208{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.200{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.199{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.193{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000297720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.962{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000297719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.962{D25361F1-F6E4-6305-4A05-000000007502}68963004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.960{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.958{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000297716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.832{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.832{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.831{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.830{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.830{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000297711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.830{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 354300x8000000000000000309282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:07.256{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55016-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:08.226{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C74D6A1340C99721DB484E188CC5F5,SHA256=28FEEBD89AC2AE9AAED2DA1022612DDF9B482C77D3B1186A2C192E7CBD11C4CA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000297710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.712{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.711{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.711{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.710{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.708{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.708{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.693{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.693{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.693{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.693{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.693{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000297690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000297675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000297674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000297669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.677{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.678{D25361F1-F6E4-6305-4A05-000000007502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000297662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.192{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000297661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.192{D25361F1-F6E3-6305-4905-000000007502}62406476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.192{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.192{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000297658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.139{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=185E63815860FCE3F0C4D832BCB7508C,SHA256=C49691F2AC61780F6D34370C62D42D8C3A4F38A2520EA21F4A6BCD5CE9B2F427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.093{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D38D397FE4248DD309F96AD36F4D08E,SHA256=3D63E0EE14EBE161A259056FD388A654E4A47880235AAD6FC547C98177D2FD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.077{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B285B7E2CFA846D9CBD89BA2C8C2B7E3,SHA256=E845B345D4C8B885FE64D3D8D1CD0A58FAF95C66A5A945FC04873944348CC7E5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000297655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.024{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.024{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.024{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.024{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.024{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.024{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.024{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.024{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.008{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.008{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.008{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.008{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.008{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.008{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.008{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:08.008{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000297634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000297620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000297615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.993{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:07.994{D25361F1-F6E3-6305-4905-000000007502}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.893{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A37502D15AAB8CB8678ECFCA001655B,SHA256=5DF48399CA2DD11BF4AB610089D79B5BB3E3838BA1072D17198D9EEDE2E1F168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:09.357{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F461977F732D953247946F0333E384B8,SHA256=0683EE42C26A8E9C984D029D4AA5EA3A250006E2FBB84CC1DF53EC68CA3BADB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.716{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B09AFC24B972944FA419A842C05CFC,SHA256=6EE782A63E43C412467ACF94A7D4191D3AFDE7C2BD7B3DE216940B0F4A9500B2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000297772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.540{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000297771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.540{D25361F1-F6E5-6305-4B05-000000007502}70046692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.540{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.540{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000297768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.378{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.378{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.378{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.378{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.378{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.378{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.378{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.378{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000297750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000297733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000297728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.362{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.358{D25361F1-F6E5-6305-4B05-000000007502}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.109{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384B0699A330DB21E6F676465FE3FABE,SHA256=8E958FB9E8B44755D0D3CA61CD00B680AEA4AF477D5DA65A05BEDBD8EE4FFB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:10.441{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D29CC959E1543ECC8A1B777D0EA19C0D,SHA256=7762A1A211AB5F77F9B9165E426CE6A470926C838D38DC306D77F3FF3897DEEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.056{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61386-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000297775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:09.056{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61386-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 734700x8000000000000000297828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.860{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000297827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.858{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000297826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.857{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000297825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.623{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000297824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.623{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000297823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.623{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000297822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.623{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000297821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.623{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000297820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.623{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000297819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.607{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000297818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.607{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000297817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.607{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000297816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.607{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000297815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.607{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000297814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.607{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000297813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.607{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000297812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.607{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000297811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000297810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000297809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000297808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000297807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000297806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000297805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000297804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000297803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000297802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000297801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000297800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000297799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000297798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000297797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000297796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000297795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000297794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000297793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000297792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000297791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000297790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000297789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000297787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000297786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000297785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000297783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.592{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.593{D25361F1-F6E7-6305-4C05-000000007502}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:11.023{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C0F1D706B117CDC448083E3F1E91C8,SHA256=BDEADDFB18F5BB9DE9407F4AE7E11FD257DFD99685745ED94DB92539212D2C35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:09.440{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55018-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000309286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:11.558{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F721AA1A1A79F300F8565B6A34AEAC7,SHA256=D912C65C98389E64994B593A90FF024035819576BFB117E0683C3DB233B98033,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:08.888{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55017-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000297831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:10.554{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61387-false10.0.1.12-8000- 23542300x8000000000000000297830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:12.738{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E80BA65254785396CBD9ECD84C7701E,SHA256=38490525E98F116CACA959B823E53792286F45110832DB1ED583385A41025A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:12.738{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17D9C27435BD1E4EE12EBEF22378A00C,SHA256=00CA1F90B071A647D394036E27C7D988BEA376C61E47EE3E7EBF6BF9CCFAB3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:12.676{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BAD552736C1E1DE73AACD1508C69BDD,SHA256=FAB3949D1B7C823FC3A9AE7096CFA79D1D12C3964EA468643B42DEC80D5710D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:13.822{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9A40FB62B5240823B88CAE324FB250,SHA256=BE3AF988DB7031AB237D842C657BC7606E9BF1B1B0A3232E544CBD1403F49509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:13.794{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E160CF51B9D1A518F06C1C0D8021F1E2,SHA256=B585F9F9291CB38A11403F19DC80C867CEB323EC61DEF5B431F652D8555890B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:14.954{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163660F68429E62B3B47E6045479AA54,SHA256=08270B553B15D57E299CDCA455030F4E2DFD08DCA2014BD23D24A7BE1ECC3F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:14.925{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70151B3EF419460644CD0528BEACF190,SHA256=898707B016789B48F5DF638EC1C42EB4E3B104447CC89D15B8E41333D891EFF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:11.710{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55019-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:15.997{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF216EFB57C207E5C5194B796A1069E5,SHA256=B4D3F6FAF95E1EC5A3C87DF2486F642C8A28B53667851E9E71F2B8E4592FD512,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000309298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:15.994{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:15.986{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:15.976{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:15.969{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:15.966{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000309293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:14.026{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55021-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000309292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:13.966{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55020-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000297834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:16.073{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32EB097443DD234710EACD0871EB53C,SHA256=77156580AFACCF754EA24D6078A34E83BF5C000C4292D7620A39733061B52D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.526{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B6EE5A2CCF8C5CFA12C4C69C59FB1A,SHA256=2971B6A0B25D975B63AB84A4A1EAF9392F35A193FC9E7D7E68E84741E278FA39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000309349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.306{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.305{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.303{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.299{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.296{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.294{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.291{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.289{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.286{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.283{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.280{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.276{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.273{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.265{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.241{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.239{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.238{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.238{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.237{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.236{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.223{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.212{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.189{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.181{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.171{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.160{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.156{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.153{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.146{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.142{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.141{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.139{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.136{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.133{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.126{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.124{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.111{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.107{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.090{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.072{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.064{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.057{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.049{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.036{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.008{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.003{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000297835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:17.189{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70191C6CF313193F3CDAA070D33CD05,SHA256=980D93DAD56623567988503EB595038289B7260EBFBF208C6688CE4118CCA2DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:16.292{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55022-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:17.094{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB1B77073CD2AEDFFFE19E2E916063E,SHA256=56D0935E8FE3365F3CABB8A3C13BA2AC0AF018081EA7C3F0A1314A793BD482EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:18.305{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01785792EC61A3C737D55ECBA3936305,SHA256=1B91F389EF9BDF977A777BC2F1CD353B6A0F1B7EE452D81DDC9AB6AF978343E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:18.209{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D608ACE81356184D8964E0B44E69F711,SHA256=A55580CFBE3A1617C264233DAE0B6E0C14A585B3FEC2018FC6FE997430922D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:15.567{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61388-false10.0.1.12-8000- 23542300x8000000000000000297838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:19.435{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50780D3969DCBCDABD2E57A02DF5F68,SHA256=DC3971DFDFD21D6836F764C6549B057BAF7E2F9AC0F01F9B46FFE1ECCD2890CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:19.325{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA9EF33D845478B52324627A812C739,SHA256=69208A0B87544AE209B3920343D9A83F523B47595FB3F9E098F00734AA600CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:20.520{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32908E8FBABCC1BA01CC587421A908EB,SHA256=312B1DEF3DFCA636711592AFA7B32AF4D436486004B3FE1C5DD8EF981FF63CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:20.424{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119436C265F7EE48E4233B5F7A3BE773,SHA256=2FA82894B3B5311C52F1D3ED9F5BDE4E73F13039EDF329BD016B5F4C19585D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:20.389{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:19.836{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61389-false10.0.1.12-8089- 23542300x8000000000000000297841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:21.635{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B33A76D26EDA51F6230FC9B1654197,SHA256=295D7CA6DF450C08589C851CD6F494784AA883558AFFA195F55708C5C33D0941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:21.525{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FFFF2287BD460296ED203D5A6A3FF5,SHA256=C9EA8F2B9F7F50D23F883CCE1EDB0766AE28DB4ACCB81F9F1BE7402FAD9B36A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:18.486{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55023-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000297845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:20.614{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61390-false10.0.1.12-8000- 10341000x8000000000000000297844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:22.872{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:22.719{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3334DC86720BFA39788E80C15E0C3A32,SHA256=E770768B31BD6943C752DE3F7C3F5DC77ACECD71F5C6396AEBF13452B7F8B88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:22.623{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772DAFC31E6F79B54F2DE0C4B1C098E9,SHA256=65FA3D027D517200E46867AD608B814CE1BD6759841CFA933A292E8ED2A9CBB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:20.002{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55024-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000309361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:23.754{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521F3D31BC59094333EAD3EA783C22F9,SHA256=A02990BAB79C16D257B24996301B4BE4512C0CA5E21223864A112DBEEC402352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:23.834{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07B768AFD0BF6ACB420D3BBC20127A9,SHA256=657C085114DBEAD516B682A0A9AA96240D4DF8AFD9B898AEBF6F51A383FA26B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:20.691{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55025-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000309362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:24.854{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BB3C994FCA000B7E6B46C002683F87,SHA256=BA1B0A36022D5165A7E840057F542F65D5077D4C729D30682E150C027ADE1B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.968{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6F83EA4080964CF129584E12A7E68C,SHA256=D12E7A816C579A90D72B1AE91CAFD90C61EF333121E5C644607591068E04DCE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.697{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.685{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.679{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.675{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.670{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.642{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.637{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.625{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.620{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.614{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.605{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.597{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.580{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.573{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.564{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.557{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.499{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:24.493{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000297848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:22.337{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61391-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000297847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:22.337{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61391-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 23542300x8000000000000000309365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:25.953{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D46217C087C36C81A2CECEFF686C5CC1,SHA256=DA50F1709151843F6DB061DD5AAFF6A75BD5FBF9AB040501A03161B2BFF6E6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:25.891{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521FA0BF62566C6062BBA4EC1E960D34,SHA256=8DAC9AF33C1633A96719BE17DEE29D20114F03A2760A65E2664CC07E17E9F0FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:22.957{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55026-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000297872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:25.134{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:25.132{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:25.129{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:25.125{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:25.124{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000309366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:26.991{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69997989EFD804884F456F3E3DBEB23,SHA256=55B1A01B46255467D873EC96863C6030F17FC0E790DE6482F7A96E099F1D5CEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.787{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.787{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.787{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000297880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.780{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000297879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.780{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000297878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.779{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000297877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.775{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000297876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.775{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000297875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.775{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000297874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.773{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.034{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7F452353FBCE5D8148A2F8F9F240EA,SHA256=AC3C8EE519E45BB825D17A4D56D00DA2CEC3FCEA14D2285D67CC7560B298FBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.884{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.881{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.877{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.874{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.870{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.866{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.863{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.851{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.823{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.815{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000297921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.815{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 13241300x8000000000000000297920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.814{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 13241300x8000000000000000297919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.813{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000297918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.813{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000297917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.813{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d8b7a0) 13241300x8000000000000000297916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.813{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x7a12a65d) 13241300x8000000000000000297915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.813{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d8b7a0) 13241300x8000000000000000297914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.813{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x7a022838) 13241300x8000000000000000297913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.812{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000297912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.812{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000297911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.812{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 13241300x8000000000000000297910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.811{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 13241300x8000000000000000297909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.811{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 10341000x8000000000000000297908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.802{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-CFFE-6305-0100-000000007502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000297907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.800{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000297906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.799{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 10341000x8000000000000000297905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.788{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.769{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.764{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.748{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.741{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.740{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.736{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.733{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.731{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.726{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.724{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.721{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.720{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000297892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.704{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000297891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:27.704{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-854.attackrange.local 10341000x8000000000000000297890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.704{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.201{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.199{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.182{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.180{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.172{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000297884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.135{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE240B2BCC557B20466D0FEA1D4C9F8,SHA256=D5BF03655162E06CC27641C0C8E26205B3A1A18319B0E7626F3B818C9FF30B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:25.252{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55027-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000309369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:25.915{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55028-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000309368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:28.074{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95DF51034DAF2BBB9BC5E153C57FF19,SHA256=9D54D6A091A2E557387D7A3F22E86746D60796A65E7ED6D28B0B5F241AD4400F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.184{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61394-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000297937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.184{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61394-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000297936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.173{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61393-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000297935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:27.173{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61393-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000297934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:28.772{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20D4F8A47C8E9812307F17AA400E710F,SHA256=46CD28D944F1CFF3205A77FCB7D130394C7A187D949203A7106660A3A35B4929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:28.735{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0334EBE0CC9F5F22AB1CE31E4AE7508,SHA256=ABB2B2859775AC62A43271F48DF8D3BBC8D8CA701C5182F848F50FA0BA162ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:26.582{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61392-false10.0.1.12-8000- 23542300x8000000000000000309370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:29.173{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5708094E0AF28ABA908B101F052ADD87,SHA256=729775F0FB2DBD5A303CAE6098A68A0BB8156FEA68AA283608F611CDE3DA03D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:29.235{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CA89520CFA2F701826702869D71378,SHA256=921F0D62FA0DB0FEE1E70841247CB134E7C0E05E83D701298AFAEC8EE224AEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:30.335{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4AA7CD0479E2A1DF695A05EF99203A,SHA256=C82F34EC1D270C072A37CF1CC03EE78E98FD63026FC609A94484AF18DA358468,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:27.423{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55029-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:30.208{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8AA8441329EB7EF5AA749AAB8D35E5,SHA256=384DE1126D2FC92345933E6418FAD8C40997213528EC473313A31B1BFF8D88E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:31.652{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A117F79F7111DBC37B0F043E56D3C32,SHA256=313DF070A4C946912C5502EF1458B7FB6B36B488785AC5841516EA1AD6DC62C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:29.706{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55030-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:31.354{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B7E7DAACCB55472498635AFB1D42E9,SHA256=B4710682D1A2E8368EDE33ACC02FEA99A01DB0E05F64F81A6A81E9959AF48049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:32.850{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57A5C1A390078C36EFB847C253D3043,SHA256=F491C4155213D7D264C05C241FE0183643CD353213710E7CDACB2A278F6ED8A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:30.917{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55031-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000309375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:32.472{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2217934AD39122FF1613BDFC290164,SHA256=A0D1AEF67BE1B698869B14A00DFD16F25AEEC72DBE724C53B51D8572EF642572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:33.970{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0815E7A4751C90F8D38D79FE826CEC,SHA256=16A8D08B69D57D391CF85AC16E2F57DE4B27A7BDEF39AD6AC8C64B7EFACF6382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:33.572{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114A52F3775806C67DA960826C273B30,SHA256=DAA5C69A02B425DA995EE5AD2415FA5C3F08ABD297DD8BA0679D4AE1E1532A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:34.692{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03072E560B939CE77EAF3E9920A2222,SHA256=1EBB371C2A90A9EBA043FD36BA7ED908C2D59324AC525356F917030634317230,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:32.533{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61395-false10.0.1.12-8000- 354300x8000000000000000309379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:32.005{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55032-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000309378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:34.137{F6DB49F2-D01C-6305-0D00-000000007602}7686032C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:35.100{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4227D88372A9F178118BB23B19D0D2BB,SHA256=D0A645C4E74DF01BC801DEED2B2432EE084CAE9720AFAF7FA44B1CD433C7EE77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000309383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:35.987{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:35.983{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000309381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:35.808{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05E0A7BE12C8AC91E31AA00EFD9A617,SHA256=44D73EEB68F70844863D0555B5322814586CC4DB7678A7B635E19E92793C03FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.875{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B9088BA459FFC28582A4CE3302D815,SHA256=40C98FF6733B5C4C5BEDAD59823DB9493329B5A2625B839F6E167135083F8FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:36.332{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AE20C5F5E0B1A69CCCDB5F489F0BBF,SHA256=4D389928E47F47DB3C3E4EB3C12B4DDC360F4C07C096162094F0E6AA7BA1871D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.466{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC0F6434F4A48571EE7F06E6A2FA7C0,SHA256=733235ED35F5481F4651A4D7F28440ECBD466AB2822BFB0782B381C411833E66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000309437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.406{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.403{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.400{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.395{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.391{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.376{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.373{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 354300x8000000000000000309430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:34.284{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55033-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000309429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.370{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.360{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.350{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.347{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.343{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.341{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.333{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.310{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.308{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.305{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.305{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.304{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.304{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.290{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.277{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.246{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.236{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.227{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.221{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.219{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.214{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.211{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.208{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.203{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.197{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.196{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.194{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.192{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.189{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.187{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.180{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.176{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.171{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.163{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.159{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.139{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.128{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.116{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.107{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.096{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.083{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.049{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.040{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.031{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.019{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000309384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.002{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000309440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:37.974{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA691DA3BD42614B8938BE16892A485,SHA256=FECC8D9ADAA5096965E0D1E5D6FB3519BA4B2908B381FA0B009D9E05DD7A5893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:37.431{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF23D11274527C7F68E91028C2EFEF1E,SHA256=BC9CD9FAF11187CBCC5748F2DB974C92EDEDDAD514AC6D859807390CFC0939D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:38.449{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5B7969D17F9C1E74EC84DF8729161B,SHA256=17B3932FFFCA7EA13C6702634904954A67DB3842A76D1066DE1F787B5DB340A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.949{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55035-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000309451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:36.471{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55034-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000309450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.325{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.325{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.325{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.318{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000309446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.317{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000309445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000309444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.314{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000309443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.313{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000309442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.312{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000309441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.311{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:38.383{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=28664819AB1450C7CD121AAA2E561AAB,SHA256=49717D436187336B6E257290D12DA6623036C48A7C40C08C81DAF7262D80214C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:39.567{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6C5BAAADF2641B02BE6B180385F402,SHA256=02CE25784B587EB7F4DF16D5ADE862B72ACC755D455847741F02A70996364FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:39.094{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA2FD264947E2A2A6DE0DCF053C344F,SHA256=8D4ADCE188DAACD9579B6BF05122F66E412FFF316A4420B096914EEA2775299B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:40.682{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7437F65D61EF6769BD9A3A6768B512E,SHA256=D4E4EFFB9E2988C5DB056C04C316FB430A4B525ADA0EFC381F7246B2D624B09B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:38.739{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55036-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:40.125{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239122B7961396E78E32983F6A196850,SHA256=869CE596AB5289EDDCB4060FAEBB809BF2705EAB1F124FF0EF9A86DCE988B5FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:38.529{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61396-false10.0.1.12-8000- 23542300x8000000000000000297951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:40.029{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=381D7C74B9FFD6DDC0AEF7148DE9B2C4,SHA256=03EF518CEF9EDC1B0C56DF589252161C954E280593532644115AC59CDD9AE5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:41.784{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EBE5542E78CF910F366B5BDB250C19,SHA256=48B015A509D628BE8AE4393DF0A2CEA5239D29DE03DCBEE268BF14A9986FB62E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:41.210{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA7DA1720BF12FB07ABD07B07B38460,SHA256=CEC273123EBB90BDABAEF9B191A8864E7F2B3B74A68B4DB5E2A66A4B169CE13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:41.415{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=25F0E1CFA5F266DD5441C5426EAB3127,SHA256=3545AB56537B597906ED87CF1F2FE67A7BEDAF2C8E580E88954E1ADF84C67D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:42.888{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4554CA81849C0FB06A0CD79A857DE2,SHA256=AE768278F830AE9588228C49CDCE331BF426DA19EE7D3FBC93DF2A750D282ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:42.756{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CB13429667422784B289D2A64B799346,SHA256=E51632DCBBC15969DD9C4E8A06B3E5D16E8455DFFC9079C890940A24C3151DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:42.341{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14A10009DA8DE275F04C800195B502D,SHA256=16483AE664F01B52D76031212FB6DC34216BA02F5075131BA9CBE3F01DE63509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:43.973{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D80B6DFFEFC80076BEC87483E209EA5,SHA256=3FA9111D108D81ED5BA71A33A2D09C4C8B08D01F3B8CC985B3A56F31632E0DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:40.939{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55037-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:43.457{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989989B239F053D81FCC02CAEDB36FCE,SHA256=895AB24C6B3283AE9A21914F2B01DA0F2A64929B71C88B62FEC74F2F644B2122,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:41.969{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55038-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000309462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:44.564{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D6FA17B3B7681738AAAAE2D0A31AF5,SHA256=6E917D9FD5CB9CC8B269463B588E5F7599B8F58F73E7BC9D5B27309053FB78D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.665{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.658{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.656{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.653{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.649{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.619{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.611{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.600{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.595{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.584{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.575{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.565{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.556{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.548{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.539{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.531{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.491{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:44.488{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000309461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:44.010{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:45.708{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260032163A0FF9FE3F0403A2F4636BEF,SHA256=BC8A0CC08BD8EA6FF3D146BBBECA27E5A1BDD32E7A457F7A5F5A44DF5D611A7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:43.787{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55040-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000309464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:43.124{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55039-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000297982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:43.536{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61397-false10.0.1.12-8000- 10341000x8000000000000000297981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:45.170{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:45.168{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:45.165{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:45.162{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:45.160{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000297976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:45.131{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA17353DD113A750967A0FBD98145A9E,SHA256=CB69E9573C86A6C9DE9B73E1A0409284557C5C87714F447944F865832D84B600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:46.808{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BF3F81C7BEFB13C4B196A2835F00B3,SHA256=90E56D001DB06C98D0641BC0FBCD6424BF551C389B2DC9C952B9111CD92EFEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:46.324{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186CE5E654A102FA7A75255E42054CD3,SHA256=2F36C780CCC0DB918EFAE0C34E6B500A73D19BE919B38E2B6BB0D945A0E2A9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:47.839{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBED82230B0CEB24C5ACC22CB0DE373F,SHA256=347FC8AFF039FE154FFEACF87D986DFE0F1E1124EC899CB288EFA83C7FEBC659,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.876{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.872{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.869{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.866{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.861{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.854{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.852{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.842{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.817{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.804{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.781{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.761{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.750{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.739{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.728{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.726{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.722{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.717{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.714{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.713{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.710{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.709{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 13241300x8000000000000000297990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:01:47.577{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8b7a0-0x85da9868) 23542300x8000000000000000297989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.392{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEE26A4A9C47536A5D449056ACFBEA6,SHA256=05E35D240B854FAE3E93B25E2A5E554AF2B5327E6782BFB9EC89D51DC0151388,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:45.422{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55041-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000297988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.201{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.200{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.186{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.184{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000297984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:47.177{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000309470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:48.954{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6023F34D5578E721AC07DDF498512350,SHA256=6B746CB3FD1C9AC660882E17A677110A888B465A4DC4973321603A89598AFF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:48.592{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3394C7669EC795DD6A63D2527E1735AF,SHA256=F099D9EC3DDE1859193FC184A7F6C777E90FF690B53FEC4A18D869F9B1DCF6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:49.723{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E230F0FF91ED6AECA16A22112EF30A,SHA256=281E3C6E4D0268E3F78E10AA540920DEC3AF8713D3263DC181F94F99691A890D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:46.985{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55042-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000298016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:50.822{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11859320FEC36DBD575128E47F69ADC0,SHA256=A2127DBDD5E048CDEFC075860FB344B9826DBBF3D5B0BFAC34B75B7216385F7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:47.721{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55043-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:50.543{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-161MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:50.057{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27F0D57E6151FBC21BE8F99FCE5C7B2,SHA256=8277819F8DEF486062F1754C793350E606AC615D0A084B435091E9CB511E2BD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:48.572{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61398-false10.0.1.12-8000- 23542300x8000000000000000298017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:51.922{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF0236C6AC958ED3F6672975071CC82,SHA256=0E3814A24BCD9C69D1DC7A8415AC0AEEC2F78C12DDB8FFD1C1A7371CB26C7661,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:49.906{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55044-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:51.556{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:51.139{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EFB9364D41B2FFA44897203AB70713,SHA256=DA326E45FAD550DB6C0C6137E837220470078D160E4A4DE93D2ADFCE07443598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:52.254{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982887674CA90956B4D120259B9F3517,SHA256=CEFCD91A58E69B596D324CC63B92F3557B27879D6379854AE7296E69E3BC5094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.739{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6BDFD4BB0299588D48996BE17AB0A6F0,SHA256=C2D5258995671CD9EE9C15346CBC7ED73FF33848B031ACDEFC44F51819654B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.672{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30941B2700223D8B06ABA357B42ECB9D,SHA256=FC05379745494A28DC53994A060DCEE142A46F618087DDEFE6240E98DC659F46,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.351{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000309528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.351{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.350{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000298018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:53.037{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B77D218F240714E298689ADFBCD4672,SHA256=9D85BD9465D46B9E70150CB184A6E97BCDB1DDCA246D9E2AD72532AD03EA3220,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.175{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.175{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.175{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.175{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.175{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.175{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.175{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.175{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000309508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000309491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000309490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000309485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.153{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:53.154{F6DB49F2-F711-6305-A605-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000309562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:52.205{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55045-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000309561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.407{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B97D2A38DAE37A25893F620DE0BDE2,SHA256=40718AE15327E1372ADA57ABAF006A5BCB5DD566A30152F8847DCBAE3150485D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:54.074{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA7A04B8D81618BA229688031B0A471,SHA256=8C8CF79F98FAC598DD5DD035FDFFBA28A6F8DF0FD177388836B9C5BB75AC575A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.238{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEFF6C9277AF9379D2A611398F6D791B,SHA256=B6AA28CC3571F8A47BD16E292781A7DEDB10EF3D38450B54DA6133EB100657B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000309559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.138{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.992{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.985{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.975{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.968{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.966{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 354300x8000000000000000309616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:52.915{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55046-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000309615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.556{F6DB49F2-F713-6305-A705-000000007602}8361160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.556{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.556{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000309612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.493{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C165C4FB36C4270C83909732941F6E1,SHA256=2677B52AE6D1F7FE3974E8F726B34FD8C835B4379A411E22781ED1A219975D12,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.408{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 23542300x8000000000000000298020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:55.177{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859FEED729F99026C57CD70623A7DC6D,SHA256=B9377093CEABC306FA498FEBC3D1475E69E50864A3EDECA2EDADAE817727042B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000309602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.393{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000309587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000309575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000309570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.377{F6DB49F2-F713-6305-A705-000000007602}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000309563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:55.272{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=260716236F3347690E0ABD3458E60D16,SHA256=A7ABD3424E223A143797015ADA4C47E7C0DE45BB7F36FCDE75B5CC6C50B537E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:54.487{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55047-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000309728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.768{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.768{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.767{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.762{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.759{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.756{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.753{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.750{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.747{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.744{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.741{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.738{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.735{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.722{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.704{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.703{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.701{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.700{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.694{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.693{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.673{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.659{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.635{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.628{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.620{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000309703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.617{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DF26EE6319D8352139CC99EF79F1CD,SHA256=4B657D1BD8F118106A14C6475815EB94EF68D180F434E27F9D8E0639BB13F8A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000309702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.614{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.612{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000309700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.612{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B92D99B0EC9D78F8246B84154288C7,SHA256=5E2626BC60B23E77F0070BDBE98E086CFF21F81BFB972E8B1F7747686AFF621C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000309699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.608{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 354300x8000000000000000298022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:54.470{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61399-false10.0.1.12-8000- 23542300x8000000000000000298021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:56.279{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2EE5B5F84F84BDF1D7AF6460F0CC9F,SHA256=66AD40FCED19A8AB89B7B5A11924AA9E56E0D15775F01C5397085374F4DDF353,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.240{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000309697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.240{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.240{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000309695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.123{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.120{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.119{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.117{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.116{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.113{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.110{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.108{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.103{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.101{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.098{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.088{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.086{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000309681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.078{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.077{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.077{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.077{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.075{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.074{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.074{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.073{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 10341000x8000000000000000309673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.072{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000309672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.067{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000309671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.064{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 10341000x8000000000000000309670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.058{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000309669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.058{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.058{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.057{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.057{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.056{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.056{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.056{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.056{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.056{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000309652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000309651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.055{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.054{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.054{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.054{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000309647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.054{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.054{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.054{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000309644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.054{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000309643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.054{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000309642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.053{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000309641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.053{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.052{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.052{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000309638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.051{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.051{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.051{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.050{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.050{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000309633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.049{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.049{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.048{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.048{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.048{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.047{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.044{F6DB49F2-F714-6305-A805-000000007602}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000309626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.047{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.039{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.028{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.005{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000309622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.000{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000298023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:57.359{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A9283E0B3DEC8597AB84FE79764D0B,SHA256=72A3B4DA966B9553EA9B46FF7A431B1F6608933D10824D64009966DB3235458D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.733{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000309787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.733{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.733{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000309785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.692{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.692{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.692{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.691{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.691{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.690{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000309779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.677{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44511CDF1C265D457243F3E7396D150,SHA256=38349E70543AACCB31A958BCD020D7FCB5F855F28EE8BF404CC86E8C9A7C2141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.675{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45B192CF412E15DFC57F0FC152983F4,SHA256=96E23942938D4DEA7612D076D62CD9AD47931D423B1CEEDB52E89369C922CD46,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.557{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.557{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.557{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.557{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.557{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.557{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.557{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000309762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000309745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000309741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000309738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000309736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000309734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.542{F6DB49F2-F715-6305-A905-000000007602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000309895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.907{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.907{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.907{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.906{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.906{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000309890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.906{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 354300x8000000000000000309889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:56.685{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55048-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.818{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBECD45F42A673F5EB6BB7B5C1D1AC77,SHA256=40F01B4E0928B3F914736C0A025F45971FC117E0A98AAF7B3E3BB3259DDCAA03,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.793{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.792{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.792{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.791{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.789{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.789{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.789{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.788{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.777{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.776{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.775{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.775{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.774{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.774{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.774{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.773{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.773{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.773{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000309867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 23542300x8000000000000000298024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:58.476{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C226E358134C40F991F4CCF9C038B3F,SHA256=C57FAED2B996979D89E987AB93CB7344ADFB60B6715BA9532DDCDFE1CBB4C97A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000309852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000309847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.761{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000309840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.757{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CF2CECB32CA8D63337064BF3C07D06,SHA256=9F36CC7315D801032B54CBFAEC5A5A000B5FE82BAC9D75F593B37D9054159EA0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.378{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000309838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.378{F6DB49F2-F716-6305-AA05-000000007602}45802572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.378{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.378{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000309835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.210{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.210{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.210{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.210{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.210{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.210{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.210{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.210{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000309815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000309800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000309795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.194{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.195{F6DB49F2-F716-6305-AA05-000000007602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000309955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.921{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4394C0D6AA1347422483A56293B979A4,SHA256=5222ADD9F131217CD45FF21D89F3CDB38702F8433B1AE70C9EBA68544567FEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.918{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060A7B089BF55367B43237FE884F71AF,SHA256=76655449A757C7EF4D001F52A3422727660E585730550AC28EFEE778FB36BF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.899{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A245CDBD2B12135DE6BF5909560AD10E,SHA256=22539510FE5108F10CDA13318F21E9AE960DD29ECC320A302168EDCE0591E157,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:57.949{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55049-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000298025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:59.607{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA1C1E213552E10040FA00889768E81,SHA256=27F81B85E318DD455287161EBDA1004CF2E4EF267BABAC0C6B0BBECADFF8FFC1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000309951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.717{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000309950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.717{F6DB49F2-F717-6305-AC05-000000007602}51923520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.709{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.708{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000309947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.457{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000309946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.457{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000309945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.457{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000309944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.457{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000309943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.457{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000309942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.457{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000309941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000309940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000309939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000309938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000309937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000309936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000309935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000309934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000309933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.442{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000309931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000309930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000309929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000309928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000309927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000309926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000309925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000309924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000309923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000309922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000309921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000309920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000309919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000309918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000309917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000309916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000309915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000309914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000309913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000309912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000309911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000309909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000309908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000309907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000309906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000309901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.426{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000309900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:59.427{F6DB49F2-F717-6305-AC05-000000007602}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000309899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.996{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000309898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.996{F6DB49F2-F716-6305-AB05-000000007602}37805448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000309897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.996{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000309896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.996{F6DB49F2-F716-6305-AB05-000000007602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000298026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:00.737{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A3E428E31C3A72A7E42340C87BC87C,SHA256=5474D043A47E5E402FF63A20835345D2FB663FC57CCBBBD960D1FA9EB81E9D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:01.808{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6829F5927658868EEEAEC7B275AD8048,SHA256=393183A6FF889F37A62D11D94C8A1D4C5E793E3DF9FF6AFCAE75204DD3F58999,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:01:58.989{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55050-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000309956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:01.036{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81182CCCF85375D3CA3052204B02E975,SHA256=A82EAEFC80FD6BEB068FC3F4EB9792392A76641B3EA6BC1C2C4CAEFF7D37B7B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:01:59.538{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61400-false10.0.1.12-8000- 13241300x8000000000000000298031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:02:01.222{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x8000000000000000298030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:02:01.222{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ECEB3A25-E485-410F-A879-889ABA3F8BBA\Config SourceDWORD (0x00000001) 13241300x8000000000000000298029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:02:01.222{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ECEB3A25-E485-410F-A879-889ABA3F8BBA\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_ECEB3A25-E485-410F-A879-889ABA3F8BBA.XML 10341000x8000000000000000298028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:01.206{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:01.206{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.938{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8954268A640CD8888DD6EA7DA3F5C811,SHA256=637675A5DB08102DB38640F24A4B3BAD64139BE40F046BDBBCC0922AD22DD385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.890{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.890{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.890{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000309959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:01.280{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55051-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:02.182{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FD130EC5D5325F3DA0A8833A1C1653,SHA256=6BC1A98A15024C33009E6B245D64FC87A92DA15B42388C8B337A20912C2F44D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.225{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-161MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.059{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.057{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.057{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000309960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:03.299{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F64CD77BFD7566BE40BEA2F709080F,SHA256=2237803792B1703854FB338643E2EE8A59A2904979630EC37962A881EC67107F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:01.516{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61402-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000298050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:01.516{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61402-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000298049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:00.693{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9860:5ee3:8196:ffff-54312-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000298048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:00.693{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local54312-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000298047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:00.672{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61401-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 354300x8000000000000000298046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:00.672{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61401-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 23542300x8000000000000000298045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:03.223{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:03.175{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB979ED71FAFD73149E2375ED8D9D37C,SHA256=DBB27C1198C5BB669043A0CD51B70CB0982719DEC3F4D2BBD5698E96C3683954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:03.075{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:03.075{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000309962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:03.480{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55052-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:04.415{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8759919ACB6A245447F981BED62DBAE,SHA256=4FB70EF7BB2A21E64F398C952001703EA44D1396B586CF7A092E23E239B8B885,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.715{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.704{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.701{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.698{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.696{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.663{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.656{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.644{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.639{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.632{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.623{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.609{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.592{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.585{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.577{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.565{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.496{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.492{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000298054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.353{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61403-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000298053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:02.353{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61403-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000298052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.022{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D8511FD05F5C9AD9F0C64E300E1739,SHA256=D18AD5F57851FB1741651181A9C90AF200F540B6F4DD285D2A5F34D0DA7238F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:05.518{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6D4937DF384CA94D17A2F482644C4B,SHA256=FDED4E57213A91DF21B0FED4CDC14BDA3F502E9A74A8040D17D2E4D728C4CEE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:05.135{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:05.131{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:05.128{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:05.125{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:05.123{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000298073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:05.065{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875AD564A06A28385C298132FF5D3122,SHA256=66DB5E7380ECC1B7236F9AC9BA0210EE8EECFC47E7CD6002346AF550F9D4D00E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:03.943{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55053-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000309964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:06.586{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AF1C6CA4CAC2941A0555E848488515,SHA256=AC8E0334CFA5162173F329083572D5390E0E609701813168BCD5DDD68D5C4DE3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.961{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000298187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.961{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.961{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000298185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:04.703{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61404-false10.0.1.12-8000- 23542300x8000000000000000298184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.893{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A29FB381F79718E550D4BBE6B01C00A,SHA256=1FFAD36A168BA236428EC73F65148B153BB2D4A4C7DA247E85C0575245149212,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000298174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.793{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000298154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000298153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000298149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000298148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000298147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000298146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000298143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000298138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.777{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.778{D25361F1-F71E-6305-4E05-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.712{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=956256DEAC50F80A6D72285EF9534A79,SHA256=C4A217B6F3D86E00352543F54403DCD4EFFE33F2FAE1560C83B299C79A6DAB81,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.325{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000298129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.309{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.309{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000298127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.177{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87055552AEF6809403893512824AFCAC,SHA256=ACEFCE7B0622184799E94DC3EDEDA83D5B4540BB37F43078FC6B1635E97A86A7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.142{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.140{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.140{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.140{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.140{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000298106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.140{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.140{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.139{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.139{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.139{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.139{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.139{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.139{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.139{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.139{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.139{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000298092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000298090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000298085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:06.124{D25361F1-F71E-6305-4D05-000000007502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000309967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:05.774{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55054-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000309966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:07.687{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE70201C9324B22C2470B685D3BDA63,SHA256=54A02C48A3EE429326151A10149C8093CEB788B74B35D8D54FD5E67B52E9EA4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.861{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.852{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.841{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.835{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.832{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.825{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.818{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000298262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.817{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E9BDA39486118BA65DE0C9FA86E0E2,SHA256=E1164C30A2E816B36580220504CE23B720D60A9979DA9221A3B5A7140EAA90C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.803{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.757{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.750{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.739{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.719{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.714{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.703{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.697{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.695{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.692{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.690{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.687{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.686{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.684{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.683{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.608{D25361F1-F71F-6305-4F05-000000007502}57166264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.608{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.608{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000298243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.608{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F76ED7A04DF7B6B6FEF2BE9BC15305D0,SHA256=9B9020F1B6363362B779653AB5CF8E82BE54C28DC84A7F99605B63312514E15C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.461{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.461{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.461{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.461{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.461{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.461{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.461{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.461{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.461{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000298233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.456{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.456{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.456{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.456{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.456{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.455{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.455{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.455{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.455{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000298218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000298206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000298201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.440{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.441{D25361F1-F71F-6305-4F05-000000007502}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.227{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EC5239501FD20450520BCDC675C72B,SHA256=A835CB3E8A3006E3053232373CE5E2625D3EA2E51DA71471356A6DD260B13C96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.181{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.179{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.169{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.167{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:07.155{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000309968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:08.787{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CACD68D14BB4F21B15A6F18591C5C3E,SHA256=193C8CD4F3B8117D192A5CF7A37BEF9761590311C576C78BDB56411FCEE8CC2E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.961{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000298373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.961{D25361F1-F720-6305-5105-000000007502}56366764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.939{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.939{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000298370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.794{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.793{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.793{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.792{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.790{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.790{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.790{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.789{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.783{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.782{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.782{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.782{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.782{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.781{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.781{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.781{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.781{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.781{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.781{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.781{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.781{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.781{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000298348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.780{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.780{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.780{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.780{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.780{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.780{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.780{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.780{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.779{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.779{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.779{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.779{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000298336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.779{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.779{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000298334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.777{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.776{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000298332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.776{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.776{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.776{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000298329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.776{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.776{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.775{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.775{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000298325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.764{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.764{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.760{D25361F1-F720-6305-5105-000000007502}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.558{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F25F450CEE949FAE39253DAD466E10C,SHA256=A1935CBD53041C6D043550C50901B0FEFC5EE03215FA54902AAB34C981B8CD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.377{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E28B5605D11836CC8E48D845FE6C1A4,SHA256=1114C43695A28CA36E5F54B7A40FE69F0D8B62E3CDADD048334F062102C9119F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.261{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000298319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.261{D25361F1-F720-6305-5005-000000007502}13004768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.261{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.261{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000298316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.108{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000298286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000298281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000298276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:08.093{D25361F1-F720-6305-5005-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000309970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:08.053{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55055-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:09.902{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258896A0AE77DB824CBB30C5E837B75C,SHA256=43974FC628A9A1F7AC78B1B6F467A5757EBF6C16C1CE4874D21242F3EB305E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.723{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13BAAA9E3CC80400B75B4841B62DC47,SHA256=CEC4267EB29FC4736B63B465368A5B3F2622D957A8E9D9C5B4B7CB0897997145,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.592{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000298424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.592{D25361F1-F721-6305-5205-000000007502}33561624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.592{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.592{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000298421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.439{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.439{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.439{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.439{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.439{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.439{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.439{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.439{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000298403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000298386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000298381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.424{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.425{D25361F1-F721-6305-5205-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000309971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:10.919{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26B14947E9317EC053D829254D025C0,SHA256=A0BA35BC9C69A230668079DCEED930542293D773D2AEDAB2C30AB0EEED525485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:10.916{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5AF86DC95D018BA05181AEF540F30B,SHA256=28D30E5BA803A372564ECF686C54E1298EFBC8A3EE1872A86C13488B2C21685A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.071{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61405-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000298427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:09.071{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61405-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000309972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:11.969{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21C0061B372CB0C05D54547A85B92C1,SHA256=1EC4ED7BC3D68604FC8B78390E3BFD366056D41F8A5DD611C2F815D45BB5A82E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.793{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000298479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.793{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.793{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000298477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.609{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.609{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.609{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.609{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.609{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.609{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.609{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.607{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.606{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.606{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000298462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000298445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000298441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000298436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.591{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:11.592{D25361F1-F723-6305-5305-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000309973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:09.910{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55056-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000298482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:10.617{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61406-false10.0.1.12-8000- 23542300x8000000000000000298481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:12.058{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4786BBCD9E2A65445452C4FA89C2A8D4,SHA256=B1937059C7CB226243936D874BA21D42CB1DFB2AA102B7FA3A43F2BA0FDB20BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:13.139{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE88B051133109CB8668DB69BC01972,SHA256=52EB1A845C12788066F554E44453DCB4678F14F32040FE6D0FF9CF0E0651482F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000309975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:13.104{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E193CEDADB157C83C8865E562CFC8C,SHA256=2A63195F79FCED000A654145C0E625B2F3721294557F352F65C3B56B7EA4330F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:10.334{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55057-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000309977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:14.101{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3401AA895F3AA01E5BA8B0EF773C4D81,SHA256=1A55EF817B820FD438F170932506797DFE2D4D24D3CC4FDB383B7CC15B52A5A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000309976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:12.613{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55058-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000298484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:14.277{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C20632B62A7F24BD16B68B6F3C606E,SHA256=A37B573EA196704EE50E9B46EAF9EBA717098F3F4DA7CF5BC8D9B6B2A8CA2388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:15.376{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5A9EB911D931178344A61319571A54,SHA256=3F0E59D6A6348240C23EBA1F6E943A3D70606FBBF5A3C0CABF3B2713B8FADAAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000309983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:15.998{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:15.989{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:15.978{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:15.970{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:15.967{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000309978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:15.136{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0471C20E39A3BCBB05A4D55B68CB01,SHA256=66B3FFE48A6B14E84757EED5D6C2A63E8CF8F70930EF4DB2C80662E2834F6D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:16.622{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804C2E6C5CD6110CA39429F3C3AB8CAE,SHA256=E7E8834DD95484D221D8B077B772C39793EEAD2107164B3ADBC3463346E7EB34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:15.046{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55060-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000310035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:14.890{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55059-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000310034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.429{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.428{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.427{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.422{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.415{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.412{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.409{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.404{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.401{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.394{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.380{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.375{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.367{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.353{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.325{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.320{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.319{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.317{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.294{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.282{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.240{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.227{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000310010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.224{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9FD3F72029D7E395B5B5B8834CED94,SHA256=9462D2A15C36C6D62A2C9A9027681E2543D2F86114C16A77A855ED0F52566D2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.214{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.202{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.200{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.195{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.194{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.191{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.190{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.187{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.185{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000310000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.181{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.173{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.164{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.161{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.155{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.153{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.148{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.141{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.139{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.101{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.096{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.074{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.050{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.039{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.011{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000309984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:16.005{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000310038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:15.798{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55061-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x8000000000000000310037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:17.668{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8274315033BB4B27F50F161037596AF7,SHA256=640EC208DFA7D6D21BC62AE0EE244566586BDE6C21AA10B48833630F649572CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:17.754{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8FE7B0E32A5327CA998A9D9751808A,SHA256=7186F96049856F97DE4418844C8753474E4B1A23390EA2CA1E5CD5D824A62046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:18.889{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DF12A6CF472C2172629A9258ECCCD2,SHA256=CA1FA315B51220C20710C6E64E2DFC6B242A019EA6FB8D6151A6D52CBAE4FFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:18.798{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BED4F08EF5F7305E70E588846637070,SHA256=4091ECBF3881DC0C59A393A01AAC6DF7ED53C556050CEDD3F610A2D5C0D2E9D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:15.482{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A55052- 354300x8000000000000000298488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:15.480{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A53678- 23542300x8000000000000000310041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:19.850{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1954F03AD3F45CC32DE2C5140C994FE8,SHA256=E1A547263AD02CCFFA8E94BD4CE241DF2CBCEB31B64EF701988D3C5FEF8AAF9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:16.616{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61407-false10.0.1.12-8000- 354300x8000000000000000310040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:17.081{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55062-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:20.981{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D500EE41B737E56236E5EE9C59DFA19A,SHA256=002EB6ADE52A79F12DC95F331DE2AE44D21C5402EC00AF7DCA6E241B99C3B574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:20.422{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:17.651{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63466- 354300x8000000000000000298497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:17.650{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A50962- 354300x8000000000000000298496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:17.628{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A64355- 354300x8000000000000000298495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:17.628{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A59049- 354300x8000000000000000298494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:17.626{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63018- 354300x8000000000000000298493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:17.626{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A62366- 23542300x8000000000000000298492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:20.035{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A152D0CE1F5F8EA8D49FA5DAFE9A235,SHA256=A302B8CCDD8834D6090097AF12B6FA2C3328CED929C6C1F81636B001BAB519AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:17.930{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal63018-false10.0.1.14-53domain 23542300x8000000000000000298500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:21.172{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A535EE010F95A1BD83D859FB445FC9,SHA256=F7BE06709FFDBD0A7C32D7A0DBADEB2DA1614A66AF903B41A25A6FAD0886FDBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:19.363{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55063-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:22.113{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99D2A1E85A55B810711EAA27A2DD8DF,SHA256=BB360CF8DB20EE64558602C4C2806E7C3E32E6ED9498C854E0DEF7D4F5F5DDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:22.273{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7624FDBC29617DC9C2CBE69938693F,SHA256=E58E2505CEB1F2D6F7ADDB732CED2BFCC98BE09466F7432990C6025C6C887FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:19.867{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61408-false10.0.1.12-8089- 354300x8000000000000000310047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:20.888{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55064-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:23.232{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3592480C4840143B87F67665C04F600,SHA256=30039B65BBB3A220F63E82F57A8B3A3CE79839FB4879E1218A21F0C8C580A248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:23.288{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEE1B13DA1139E4A0D34A67622EAAAE,SHA256=83E9D219073FEE58030760FFCF3A498938970DDCE9EBE9003073D9783F6047B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:21.562{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55065-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:24.347{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA0E9FC792EB334E3BA7597A3D0C48B,SHA256=ABCC3EED0C411A3DD074606054ABBE392EBD683CCB0D2F277B41A7988BC7AACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.729{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.717{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.713{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.709{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.706{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.665{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.658{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.637{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.630{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.623{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.615{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.605{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.594{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.586{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.573{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.564{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.505{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000298507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.492{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000298506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:24.402{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935D8DD0AD70687EBF65B6AE235A564A,SHA256=263AF2EF39A772EEFC8404F57D6B5DFB1E1BBB0901BC46675D6F16134C606BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:22.314{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61409-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000298504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:22.301{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local59516- 23542300x8000000000000000298531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:25.422{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FD95CBEB5109ACF77A2991F18F455B,SHA256=6C5ECB70DB3029CE2741FA5FA32D5F7C6F6686C51BCC6ED92969E257FF1F7A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:25.478{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C7154F8ED27EF39B6AA46C2D363BC0,SHA256=536D2ED477C3185208EE56BA88DE2D4026B3166B65465A4C5AFAA60EB9902884,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:23.845{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55066-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:25.410{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1E4F1030E844ECC0E12DB38060934AF1,SHA256=EC93C5920C3D6A91C51366183DAFCF1F64FA6B66DE3F592D0EB89DD5BC6ECDA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:25.157{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:25.155{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:25.152{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:25.149{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:25.147{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 354300x8000000000000000298525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:22.516{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61410-false10.0.1.12-8000- 10341000x8000000000000000298542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.786{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.786{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.786{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000298538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000298537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.776{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000298536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000298535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000298534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000298533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.771{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:26.492{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B3C96F8C2F8BDA1B0E6BBB34CD0B67,SHA256=C86F8CD17C725459989841B36C531DDA839E20BD22A06B6BF4FDA554DFC4DDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:26.493{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF72CE49BE90DF2DA2E32CA50CF2624,SHA256=F0321C9E52A493C4DD8099338490FDBB2DE3916034082E760D9C00CE756AB638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.863{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.861{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.857{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.855{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.852{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.849{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.844{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.836{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.807{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.800{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.790{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.773{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.767{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.757{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.749{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.747{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.743{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.739{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.735{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.731{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.728{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.727{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000298548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.679{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C0FACDDC7F5A8FB0C886D484D9F4C1,SHA256=C0D1FA94702C10691356B220F4E7FEACCF8AAA626451D750FDCC8E54748864D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:27.592{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CC3D83D5BB6642B74BD98494B62E66,SHA256=710CDC3E632D4AD7BB7EC463AF8B6D0BC430C11CDEA3601581875B58AA6BE84E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.209{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.208{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.199{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.197{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000298543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.192{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000298571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:28.764{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAA73B4B5B5184FCB1118BCDCC3F9DB,SHA256=51F3DEA8D6265D9CD5D4314253A055BB1A6A38D67F8F00B62525DD5F5D540F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:28.629{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6CB1BE049C0781F56481CEC94F5CF1,SHA256=898DEC578DF7342FABA557067557809CF518D29913F119D52B88452BDB4E1310,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:26.143{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55067-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:28.145{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:28.145{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6E66D8DDD531E329973315912508BCAD,SHA256=509527A41FE0FBB69108C30D703E5A393041C2739FE2D4147F5C99D12952D542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:29.894{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFBD071FC2118A3641561CC3CA6CB5E,SHA256=9CAF06F694245959D7DBEFD293BE2F04C39B51ECA283590A0D1161E9D7CC931E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:29.744{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA3DB3FA6B608372979A59126C92167E,SHA256=78BFCFCC9C2BCA68077EA9CF28EECEA02D82CA9866A2D143126C9849DA49A39E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:26.853{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55068-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:30.875{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBE981EEE6912560F31C32C3133F805,SHA256=144447CDE73B0B9D4B83A14FB908F0BAF2386DDF667F06DB30EC8ECE6D33DDC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:27.558{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61411-false10.0.1.12-8000- 354300x8000000000000000310061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:28.420{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55069-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000298574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:31.010{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7ABA24B0A5AA7DBBA57CB340FEE6F9C,SHA256=AA9776AAE329FEBE227F86BF1BC0952367A4B3F13313BF5ADFCD6BB719DC8A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:32.125{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7134C32A6F00383A24FDD195268A0EC,SHA256=793BBBB1CA79E325B9339D8E6837D8B42499327A74E866F67E3C5CFE7347A9DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:30.719{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55070-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:32.009{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5041626E55BDF58F53E14A99F47F358,SHA256=AA7D0C03B03E5C587351408D36F71C2724994DD53653BB4963FBCB8E61158237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:33.257{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BF10997E1A5E937C0FFEBDF3642C2A,SHA256=62BC50C0A8B3283E59C4AE937F3B16FFC5E8F2B3F5D162C777ACA3C98A25F8E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:31.921{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55071-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:33.144{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDF0EA43E8B1FD08BD151A72EB57A43,SHA256=B00F54029F3CD330C62BBF7319ACD40DE40F4B0457D4B0F11B3D380D888D8A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:34.976{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:34.976{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7B10AF18CD4DA974314C75196D8B3F98,SHA256=E274C210C3E988998B5487DFDAD90CF13E3D7068A794C1B4C174BA7C21A097F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:34.357{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F8CCCECFF811098810CE1FD4931423,SHA256=AA25447436029F1A5A25001DF90BF7B54C8B469B7A5541B08B728A200AD075F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:33.004{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55072-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:34.244{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59EB4935C55038910DF2A64A80E6B44,SHA256=EC3320F0305D4D404B6ECB91872FED8A48D717ABECDD6AB8D12486A84A3C72D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:35.476{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A07AE8D343DF05BFC6FA913CE53D6D4,SHA256=0E0BF008733D39A78516D56FDEC1DD3001BDF27CA00E542A373CAD9C479D81BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:35.979{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:35.976{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:35.967{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:35.965{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000310069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:35.359{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B119C8584E7A8D153203EAB5D099ED,SHA256=C7162BE34984A9D768D2EEA5482C8E5FC32E9BFD1E29E15220E834674BF66FD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:33.518{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61412-false10.0.1.12-8000- 23542300x8000000000000000298582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:36.607{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242A95CB69D7025585A4DB60DA2D66A6,SHA256=C552159E81B37E7F3968466F355D48D5EFA519184666619FD54E8133417C44B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.690{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B98D61767B93E115BF814AAEC51B08,SHA256=185DE4A6FC4C5D4BE4B3B1823218AC84852B158D794F8229725292E1433D1421,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:35.203{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55073-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000310124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.382{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.381{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.378{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.370{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.364{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.360{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.354{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.352{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.349{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.337{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.332{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.327{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.325{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.307{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.286{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.283{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.282{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.281{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.281{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.267{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.250{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.228{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.217{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.208{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.200{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.197{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.195{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.193{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.188{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.187{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.185{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.183{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.182{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.180{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.177{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.174{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.169{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.167{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.163{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.152{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.150{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.133{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.120{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.099{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.091{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.082{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.063{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.024{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.014{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000310074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.005{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000298583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:37.737{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61F3E217D97246541DD5F53EDC7D063,SHA256=B8E810C4FDFE65D48AE62ED0053972CC9850E88A5BD1837F5A1F4F9646B55826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:37.427{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C9E43C88443B20A7B3BB024BBE61FE,SHA256=EE0A105DA94C8811BC3A728C9B09ABD3C5D64ADFD4E85428C3709B893661AA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:38.839{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EB5D15942B45EFEB04B5D8C438771E,SHA256=CAFDB4C42942334D1B0FBBCF8032B6CC124824D5314368487FA94C8DD2333EE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:36.982{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55074-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.443{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7527759C0419BF78AA85136DF22DE39,SHA256=3CA95AFAF6F47354436B0B24AF7F87C2A8D2A9B46A48581854D6F1D196BD5D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:38.006{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D032A7DD22A7B1B97CA62571934D558E,SHA256=6E1DF73CD41DA86F949646A648508EF82CF5C9F4B104C22EE4529C099B9267B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.326{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.326{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.325{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.320{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000310133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.319{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000310132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.317{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000310131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.315{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000310130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.313{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000310129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.313{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000310128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:38.310{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:39.953{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF80C0F989F8CD6DEEE21322C2A5D83,SHA256=6454F100C02B32466A5FEFFAE05742B117C3DC5E8DD89434BFAA89D252E22FCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:37.487{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55075-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:39.543{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98568268A6D3C49C632B5A77023F048E,SHA256=3EBAD98D460C1B25B4499A276DCD50DB411DD199F00CFECC64A4356C98857308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:40.674{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE01348CED27662F3824683E00D37B8,SHA256=91AEE63BF4CB8D4C10073D684BCCA1864B41F070BF934F62DD38C56F746B63AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:38.668{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61413-false10.0.1.12-8000- 354300x8000000000000000310144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:39.771{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55076-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:41.707{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504AC48175839F3CB4B37F29A8148C05,SHA256=4EF5D5BFAA47CFA39AE8BA91089B2EF1C410089A720C49B396994C9845C64445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:41.421{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3922ED3A8647652C734D89D53F19204F,SHA256=AE83364E153FD77A8B429CC966D5F4ED5386475B0F44AC5FFF38CA9178D12811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:41.054{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCF0BCE8BC84432BF0729D09E70FFE8,SHA256=412E226F5575DD3B1753325A15ECFA19ED742B9638A1C714B84D5198E5D00609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:42.807{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7799F99C9155413E0ADC4CE4DE776F6,SHA256=A596975A8874F558AE2A8A2D565C2E1D7E5DAA05E9317C27640784D79C65E2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:42.758{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A14C430FDEEB26F5A710106FE2B5600B,SHA256=50855A3EDBFD9CAAB8ECA6D6E6E08E22A98187D712C2C9CB06C6EBC9F19F3884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:42.121{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B682C6F6A2D45EEE45A5606261FC59C2,SHA256=399CAE31DFD56830CDD7F3C959C337F20F08F8A25D48FB228AEE13048C88154B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:42.086{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55077-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:43.807{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F4AE83D0EC3EF443048566AA1A0989,SHA256=859C7C0AE1D76628EB2ADB4342701D3E1E414C37E3735DB08DDAE5197A0F9D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:43.337{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973FB858994DD5016F0856282878D61F,SHA256=B708459359152B643DF38B9D9C959EB71280F654FE22141AC1D7F5973E9C5FE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:43.000{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55078-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:44.857{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4212EF42BB60AFB9169640B36E3654B,SHA256=2E06317628729D0B42D0A7731A01B4C23403D0CFA26E205DDF27511F0F35C327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.714{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.702{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.695{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.693{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.690{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.651{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.642{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.629{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.622{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.613{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.603{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.593{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.579{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.571{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.557{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.546{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.493{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.490{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000298592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.474{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A698BDD53668BE6B7F6755DEE121D5CC,SHA256=7506C4D463B77208C90CC3B3382181EECD811F748AD26971F9C30D737B86039B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:44.042{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:45.991{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA51BC67DA1F13C8B414A322BCDF5EA8,SHA256=8E10B915CFC9DD9E7C824215DF8A810044A63510F4A4A7566E3BB07A0CFC6F45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:43.818{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55079-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000298616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:45.504{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488CCBC52C236D2B7D5A3058D1AD918D,SHA256=E45B9ADED2DB28BF9A3B53D06D847264EF133C163AEF4AA592A29912C7AFBEEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:45.042{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:45.042{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:45.042{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:45.253{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:45.251{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:45.248{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:45.244{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:45.242{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000310158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:46.957{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED46364361E3A8DBD5B30835E3FD0EC,SHA256=B6FA7958D73CFC6D3E18698473D50DDE1D3E2AA1B736554B8C45026028237450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:44.371{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55080-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000298618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:44.618{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61414-false10.0.1.12-8000- 23542300x8000000000000000298617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:46.589{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF26A59018FEF68C98AB9469E704D66,SHA256=9CB1B8C467DEF455FF0BE4C7DF1A2D93679B2775D4903025CB42D5EE11753B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:47.972{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3553F3CA4B30B82713D057DDD72E7505,SHA256=79E223D7042B85E08F927646471EE47C188919BCF0B0FDCBBC5950CF52E2AB9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.997{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.992{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.989{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.986{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.982{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.977{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.973{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.961{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.928{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.914{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.897{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.860{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.854{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.837{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.828{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.825{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.820{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.816{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.811{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.810{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.807{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.806{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000298624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.736{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F2F01608DA4CD69D98F740397352E8,SHA256=88A1C5A6A53BCFBABE3D317F80346BD4EFAE162B6CF2E21AEC9742DD81A9F410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.301{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.299{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.283{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.281{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000298619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:47.275{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000298647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:48.824{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D59C8E86C61FCC6A79C721A58172FA,SHA256=BB4CBC694C2C19FA8582D8E8181C1C1B46576DA97DC7448E75BEAEC64A9A79EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:46.654{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55081-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000298648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:49.938{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E23BD8379A25C89A820783E4E99ED4,SHA256=DA55F32F549A90EA254227FC52EBCFEDC557F4A0FEACAB92AEFAB998F782CAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:49.004{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44EDF7F23C7FFDD1441782E3C9BC9ABF,SHA256=0788A00A588C03EF3D8606F8255B3EE3034833332822C5B937CEF56E1FCB353C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:48.993{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55083-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000310163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:48.836{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55082-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:50.155{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786482263AF8CECC7DC1653516BE054A,SHA256=7A8362A76798C577175CEDA7A2A24D8806DEBA4335D71E288A3BE6CF82B705E1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000298649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:02:50.254{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8b7a0-0xab3660ae) 23542300x8000000000000000310165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:51.256{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F1ED5218D30051F87FDC9A1B479EC2,SHA256=7E83626A9E9C97A043765DA3865F2B78FE45F00100A2A169E3F6E6F69F0D8B31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:49.669{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x8000000000000000298650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:51.023{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3256C1AE6AE1ADF386AF6D5B91AB92,SHA256=C56992516E3555CEAEA63C948AFE417015040050D5573EB4F39F37180B0C67FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:51.121{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55084-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:52.356{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DD14CAA185BB3CFE226774E98204AB,SHA256=AD9DFDC658F89B8B6F1E988E374E499A84D7EA78707A5FC4BBDAA65B082CA6B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:50.604{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61415-false10.0.1.12-8000- 23542300x8000000000000000298652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:52.108{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3E1D83C51C2E5613E0F31234BC2C7B,SHA256=2E41DF61CDE1ABCD470890C62684DB5706A8A81EC8DCBFDCC83948167D552EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:52.077{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-162MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.939{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8422713183E0EEFAE6D4A62CDF8BA5,SHA256=0A38398DEC1310147CE948747468CF1A8519D583BF259292C33050CD3B489F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:53.226{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35092EB23430F13DA2D70D0964820D4A,SHA256=19D3BD4CFA079243053A474A540F224D9EC244E29D32251EE575B8CD5BD0D606,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.386{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000310219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.386{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000310218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.386{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000310217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.186{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000310216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.186{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000310215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.186{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000310214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.186{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000310213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.186{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.186{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000310211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.186{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000310210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.186{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000310209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000310208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000310207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000310203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000310202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000310200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000310198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000310196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000310195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000310194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000310193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000310192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000310190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000310189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000310187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000310184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000310183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000310182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000310181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000310176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.171{F6DB49F2-F74D-6305-AD05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000310169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.076{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:54.342{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457275FB184DBC80649892E63471F461,SHA256=2AF4E7C1A37CB62497EFE374AA7DBA7799909E6A08825259711D6DEEEC04DA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:54.286{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=385B1D3B861E7BA8E59FAD744ED4588F,SHA256=3B4843B990BA00D2120EBC9568DB5D8F00222BD5A511C3C1F3B931EB4E884AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:54.172{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=00A644EE03153A0C64C42A98D2CAC816,SHA256=81F2DF7C76A2B295ED149420A8CA1668960EB57A8913C7B0FF4E03554C2C2D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:55.438{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B376728D300672FBD8E2AD61F9C8A1E,SHA256=05D6B03600E5F5C4D1DF47F42E89AF3998C817C36DF9C614AF4E1F183778D3A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.997{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.989{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.981{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.970{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.967{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000310280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.605{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=53BD71D4C498F366D93ADA085BAF9349,SHA256=8A2E1520D484C4DA7A778C093DEBE5D97CCA07DC2C9308F411097BE7A9CFC150,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.556{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000310278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.540{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000310277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.540{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000310276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.408{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000310275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.408{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000310274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.408{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000310273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.408{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000310272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.408{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.408{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000310270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.407{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000310269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.407{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000310268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000310267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000310266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000310265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000310261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000310260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000310259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000310258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000310256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000310255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000310254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000310252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000310250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000310249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000310247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000310246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000310245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000310244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000310243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000310242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000310240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000310239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000310236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000310231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.386{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.387{F6DB49F2-F74F-6305-AE05-000000007602}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000310224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.004{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9D3C91F4946A49496721E6A99EBE15,SHA256=FDDF290CA1A41E33C6CE5848E3866A6A783DA6BE2D6214233CCA2A256A4F1231,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:56.938{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:56.938{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:56.938{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:56.523{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53AB0DF9D35FF8CBBAFB1F3229F3226,SHA256=1B622CA7A95AAA0B2DBF8807682AB492A90A29C3C8D2657D47DC1767E7F6C863,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.721{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.720{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.719{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.715{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.712{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.709{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.706{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.700{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.693{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.689{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.685{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.679{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.674{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.656{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.631{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.629{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.628{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.627{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.626{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.626{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.616{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.603{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.571{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.548{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.535{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000310370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.532{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9125CB2297A921DA77AFC8E76E45639,SHA256=2D224ECCF6DCA6124E22C0EB7612B99A5ECC1E1F8D198077D4EA54610266ABDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.529{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.528{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000310367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.526{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7383D164C292F3B770CF0008E7A6BC6,SHA256=A02540F242F0903C4CEC1BE6120855E8368B52A34107B438E312A8228787DB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.524{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.240{F6DB49F2-F750-6305-AF05-000000007602}27921708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.240{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000310363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.239{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000310362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.185{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.185{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.185{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.184{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.184{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.184{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.150{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.148{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.147{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.144{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.144{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.142{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.141{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.136{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.133{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.128{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.118{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.112{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.110{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.096{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.075{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 734700x8000000000000000310340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.074{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000310339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.074{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000310338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.072{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000310337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.072{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000310336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.068{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.067{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000310334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.067{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000310333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.066{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000310332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.066{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000310331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.062{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 734700x8000000000000000310330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.057{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000310329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.056{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000310328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.056{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000310327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.056{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000310326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.055{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000310325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.055{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000310324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.055{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000310323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.055{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000310322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.054{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000310321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.054{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000310320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.054{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000310319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.054{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000310318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.053{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000310317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.053{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.052{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000310315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.052{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x8000000000000000310314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.052{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 734700x8000000000000000310313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.052{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.051{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.051{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.050{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.050{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.050{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.049{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000310306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.049{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.049{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.048{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.047{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000310302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.047{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.046{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.046{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.045{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.045{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000310297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.045{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.045{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.045{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.044{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.044{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.044{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.040{F6DB49F2-F750-6305-AF05-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000310290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.040{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.031{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000310288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.008{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 354300x8000000000000000310287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:53.314{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55085-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000310286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:56.003{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 354300x8000000000000000298662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:55.701{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61416-false10.0.1.12-8000- 23542300x8000000000000000298661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:57.622{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2156328CB9C3DB566F8B21517EAFE04,SHA256=EC4EA257A25F221DF0D11353E64DC06B331BAE0D31871D8CA4A354F9DE5960A8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.708{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000310447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.708{F6DB49F2-F751-6305-B005-000000007602}5116908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.708{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000310445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.708{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000310444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.571{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C745BFED38059FB42FE8F90E9F2F5C3,SHA256=7504758C2980A4B2006DC00E1004AE6C53F2B72E93F68F9D83D52CB7A16916A5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.556{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000310442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.556{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000310441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.556{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000310440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.556{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000310439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.556{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.556{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000310437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.556{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000310436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.556{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000310435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000310434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000310433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000310429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000310427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000310426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000310424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000310422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000310421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000310420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000310419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000310417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000310416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000310414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000310411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000310410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000310409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000310408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000310403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.540{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.541{F6DB49F2-F751-6305-B005-000000007602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000310396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:54.954{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55086-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000298663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:58.706{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895519EFD7E4D8BECFD8FB448B9F2609,SHA256=C37CC1D9A7FCE69637775835987BE9327149F2D0519017193ED47ECCFB6D8961,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.924{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000310554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.924{F6DB49F2-F752-6305-B205-000000007602}45645244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.924{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000310552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.924{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000310551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.755{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000310550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.755{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000310549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.755{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 23542300x8000000000000000310548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.755{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA58D1693A0F99A5E82BC00CB1C149E3,SHA256=5BA61CD61184C48ADFFD5496087A20BAD280EE0BA523F62AC956BA40BF4D472A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.755{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000310546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000310544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000310543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000310542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000310541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000310540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000310534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000310533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000310532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000310530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000310529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000310527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000310526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000310525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000310524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000310522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000310521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000310518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000310517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000310516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000310515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.740{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.724{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000310510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.724{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.724{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.724{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.724{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.724{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.724{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.732{F6DB49F2-F752-6305-B205-000000007602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000310503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.724{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DF569DED30DBDFEC3429629B49DD6C,SHA256=9645EAC6B6545617DA2367B3806192378F9ECC208EA7E88A2EE2D7A5F15ACF79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.724{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A5069103F521D64F1B70C847903A19,SHA256=B56B86EEE85C7AEB38BEA91F6E00CBCA59459F12E4E8FD21E02C7751B57B18F6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.408{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000310500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.407{F6DB49F2-F752-6305-B105-000000007602}51005000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.387{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000310498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.387{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000310497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.224{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000310496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.224{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000310495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.224{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000310494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.224{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000310493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.224{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.224{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000310491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.224{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000310490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.224{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000310489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000310488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000310487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000310483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000310481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000310480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000310477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000310476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000310475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000310474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000310473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000310472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000310470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000310469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000310466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000310464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000310463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000310462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000310461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000310456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.208{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:58.209{F6DB49F2-F752-6305-B105-000000007602}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000310449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:55.514{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55087-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000298664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:02:59.837{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6BD990AA328957C4D7D5EB88E514F5,SHA256=CE13F84F553C16C8AA4DC5BB0EB77120E2288AAD9ED764C956348A0408EF32EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.908{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4F4D3ED5191ADEDEFA9E6025EB37157,SHA256=F33CEC584D8577B671DEEAD1B07E2891B4F538D906F60F955E2E3B0F53668F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.907{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E23792E3BBD9DCD251A8782C089EF9D,SHA256=419F0E5570FFCD1CD093C285F1F433DC4147C7E0CA667BC315CD32B80DD73314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.890{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49347431566A4FD00768AD49C2F56119,SHA256=4D65FED9E3FBA1C99FC0AB3865B2524A94FC3080C7A0FC3D7A6B6FA5E40934C4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.612{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000310605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.612{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000310604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.611{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000310603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.412{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000310602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.412{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000310601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.412{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000310600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.412{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000310599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.411{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000310598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.411{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000310597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.410{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000310596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000310595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000310594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000310592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000310591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000310590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000310588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000310586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000310585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000310584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000310582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000310580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000310579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000310578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000310577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000310576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000310575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000310571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000310567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000310562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.390{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:59.391{F6DB49F2-F753-6305-B305-000000007602}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:00.954{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BBB53E98C6D21C884342E15899283E,SHA256=763B7597ADF372C599005610CE3229B2C43877356253AB672EDDEB086C20E2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:00.943{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EC064B4D65DB89F105EB85F41D8520,SHA256=4573EC9E6B62A74C885F634557C5B24115DFF7AC125B9301ADCCC1D1A68A6718,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:02:57.800{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55088-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000298666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:02.107{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA7CE02A6E22ED4D3BD355EF999375F,SHA256=B84EB8FE27500B3D19079989646664243FE3B211D8EC728BEBDE8C2CEEDC1658,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:00.080{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55089-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:02.058{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2328F5ADA56AD791B535DAB590C0E2C3,SHA256=4A982B1A7F2F866EBC917F34FFA41B898CF3ED2409A27D5436D7DF7FBC4622BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:03.206{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F30E21294FD324B687AACBC0167BEAA,SHA256=C64F7B421CFAC8AAF8170015CA7E6D767657F2B00E6290D9463046D06F5C400B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:00.932{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55090-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000298669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:01.617{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61417-false10.0.1.12-8000- 23542300x8000000000000000298668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:03.754{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-162MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:03.222{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFEB2CFCECCB6FAF75D58890ED0C39F,SHA256=63F9172E45A25AB24A0A13BF1F5A9751F5DDEE6BCB4530560320AFE3E0E16037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:04.306{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D4EA22FEEC805FDC6F8F5886EA2A94,SHA256=5E7A9D0DDA3F809644B4E4674773D2841784E190851DFBCCA6868AA83E8EB667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.752{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.702{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.689{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.686{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.684{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.682{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.657{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.650{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.628{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.621{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.615{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.604{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.594{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.579{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.570{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.559{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.551{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.493{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.490{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000298670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:04.292{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0965101CA36EA74BE190D60254D0DD3,SHA256=334786AD8C8EF323BA64FAD164216D5D6A34DBB4D24B9742FD9E90432A5094CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:05.561{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835663F899CED5843D73A517C20E1D71,SHA256=DAD0B913AFDDF2E8B5D00DE1CBA9FDA734C2298018EEFBBD0F0CF2DAC39AB9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:05.426{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBE4D8B6C7DC5D9BD5CD1B04A736846,SHA256=C6A1A7447A1683D6AA76D42A7921838F10B877D4D3DD8109527A5874E8689663,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:02.370{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55091-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000298694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:05.163{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:05.160{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:05.147{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:05.144{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:05.141{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000310620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:06.526{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6972D2B6DAA6C7151416AD37012DEDA3,SHA256=91A9CD6220E956944205E45C6193E4C1CA61A6353C0CC1190CC9CD6276F8CF23,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.976{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000298802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.976{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.976{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000298800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.892{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000298799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.892{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000298798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.892{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000298797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.892{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000298796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.892{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000298795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.892{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000298794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.809{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.808{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.808{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.807{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.805{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.805{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.804{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.804{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.796{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.796{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.795{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.795{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.795{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.794{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.794{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.794{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.794{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.794{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.794{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000298774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000298759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000298758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000298753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.776{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.777{D25361F1-F75A-6305-5505-000000007502}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.309{D25361F1-F75A-6305-5405-000000007502}71247048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.309{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.309{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000298743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.154{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000298734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.139{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000298719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000298707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000298702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.123{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:06.124{D25361F1-F75A-6305-5405-000000007502}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000310619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:04.585{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55092-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:07.626{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59FB929E61C20D91D5B479816B52910,SHA256=BD8E0D4277D9BA9DEBCA64528C40EC436F093416C4B7807CF9D120B3E87C6480,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.973{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.972{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.972{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.971{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.969{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.969{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.969{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.966{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.958{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.958{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.958{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.957{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.956{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.956{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.956{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.956{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.956{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.956{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.956{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000298919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.955{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.955{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.955{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.955{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.955{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.955{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.955{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.954{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.954{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.954{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.954{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.954{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.954{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.954{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.954{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.954{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000298903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.953{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.952{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.952{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.951{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000298899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.951{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.951{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000298897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.951{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.951{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.951{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.951{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.950{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.946{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.940{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9236F55F6EF65A760C8FA3A72C79E9C,SHA256=355861029B36729D8A49718F89E57E6D9B1B8787B1875A63B067ED82CC6D1159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.869{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.865{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.858{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.855{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.851{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.842{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.841{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.833{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.807{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.800{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.790{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.775{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.769{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.760{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.756{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.754{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.751{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.749{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.745{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.743{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.741{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.740{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000298868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.607{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A1ED9D7C1D4CBE7804265378EA2301,SHA256=E517FB0C3535ECD255D10AB7C5A03C83E7C013BEE30480020911BAFE2ADE4142,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.458{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000298866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.457{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.456{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000298864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.287{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.287{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.287{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.287{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.287{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.287{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.287{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.287{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000298855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000298837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000298832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000298831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000298830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000298829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000298827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000298824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000298820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000298818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.271{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.270{D25361F1-F75B-6305-5605-000000007502}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.268{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53B7B0B602B0E3D409FC9586C02D0E2,SHA256=9C23E180B69CA74CB8C49B382EA3420233D76601379BE3FC77F8DA92E3104ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.245{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16FE4896CE0D5F59759EAB6BB08EB71F,SHA256=CB838DEF3B9CEF3362967695FDC0A597BEA3AC37F78615E5B92282F6817EAA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.228{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.227{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.216{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000298807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.215{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000298806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.213{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9656C819B8FBBBFA5DAD4D6C2416A6B8,SHA256=936DED8339229B1E8E5F8BC3D0EBCDDCEAB3C593C7362AF65F966A6FC4A42F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.212{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C7084D57FB730307108FF45A67577EDB,SHA256=73828982CF86F653BD9470CC294FAA1AE628A6BEA870657459A5F1DE7AB33A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.209{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000310624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:08.708{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9F8889FE165ECE3F843CE30CFEFC87,SHA256=D27FF5B7546C377F445B3D61E10F76230C63CDC0587DC4C34A1DB43734902D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.955{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011745938B7DB59E72DC35305F8E8A03,SHA256=D7D3A64DEC368B255683B1489D3CE69FE11427CD9AF7FA750E08FF12DE64BF25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.917{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231169D23A898F8980E9B6ABDCBC11E3,SHA256=61A7D58B9E6ED53CC7E9CFDC54F64465865367F8820583A371B7EECDDB90F321,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:06.870{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55094-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000310622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:06.018{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55093-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000298995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.794{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000298994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.794{D25361F1-F75C-6305-5805-000000007502}50327000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.794{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.779{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000298991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000298990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000298989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000298988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000298987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000298986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000298985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000298984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000298983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000298982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.642{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000298981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000298980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000298979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000298978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000298977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000298976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000298974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000298973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000298972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000298971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000298970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000298969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000298968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000298967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000298966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000298965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000298964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000298963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000298962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000298961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000298960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000298959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000298958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000298957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000298956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000298955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000298953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000298952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000298951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000298950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.626{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.627{D25361F1-F75C-6305-5805-000000007502}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.261{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=210FDB82E89E39FB165FD348F46A1A84,SHA256=A2BA7C7010D4DB7ABE7CDC1B6CF32F835354765AD4529D82CFE48999FE505DA8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000298942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.126{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000298941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.126{D25361F1-F75B-6305-5705-000000007502}68364564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000298940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.126{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000298939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:08.126{D25361F1-F75B-6305-5705-000000007502}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000310625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:09.842{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595321D35894244C2C3325244348ADF5,SHA256=F226C53A159494874699682BA26FB92BE7E8434529A787AB31DE4C98F9AC7B95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:07.558{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61418-false10.0.1.12-8000- 734700x8000000000000000299048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.468{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000299047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.463{D25361F1-F75D-6305-5905-000000007502}60486108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.463{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000299045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.463{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000299044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.311{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000299043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.311{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000299042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.311{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000299041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.311{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000299040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.311{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.311{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000299038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.311{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000299037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.311{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000299036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000299035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000299029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000299028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000299025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000299024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000299023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000299022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000299021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000299019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000299018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000299017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000299015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000299012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000299009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000299004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.296{D25361F1-F75D-6305-5905-000000007502}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000310626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:10.959{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C958AF919966B3BDFDFB4C48FD8CFE96,SHA256=8C1E4FA32911A40039200EE21C32E448048A5511CC9B4759C2BAE703CBE3EB98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.089{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61419-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000299051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:09.089{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61419-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000299050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:10.051{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AFF0709DC8603C126ED0E5E8E33403,SHA256=3EB2DA647190C16D3200DDC2844A20BDCDBBE305DE7E7B50A9CB25246B3DF7D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:09.154{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55095-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000299104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.779{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000299103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.779{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000299102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.779{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000299101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.625{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000299100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.625{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000299099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000299098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000299097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000299096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000299095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000299094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000299093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000299091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000299090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000299088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000299087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000299086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000299084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000299083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000299082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000299080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000299077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.610{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000299074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000299073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000299069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000299065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000299061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000299059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.594{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.595{D25361F1-F75F-6305-5A05-000000007502}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:11.141{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F2160E93A0E9B51F4C0D18ECAB3F7A,SHA256=320EFF1CFB469A3DB088B98225612363C88A14D5E2C560A0F81EECD8BADBA2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:12.780{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CE4316D1E586B25C4C8B10B5F9B18B6,SHA256=83C100400295CA2E57C416F254DEE046A947345223102B431D5E7211F9EC20BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:12.282{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0503F04EE4E5DA9D814799648240AE,SHA256=BC8EDFE81BB6120DDE4DAC5CC463526D0A2A99C5E2B5D7D5CC39F7B1489946C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:12.090{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0985B48A4643E0185AC4A86D9B8A3D50,SHA256=9DD6DCA3EBC3956972DC2EAF6F31AC5D9C6497A329EEAAD571F9961D1BF88A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:13.343{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA43C9E58F496C53F4F2279C590685F,SHA256=E9EDD02529773D9461DC9D5194660C0796B450D6B48BAB7EEA46F76F210E2C32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:11.323{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55096-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:13.127{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548D307B32E665B33CC5E231E61C9A4A,SHA256=EA95CE9BAAE68A30BDF5E81D3261BDBD5950FEE6D1A333E6F1FA426A4F9C957B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:14.460{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A71F1689C0E9EC1552D16F422AC10A7,SHA256=6963D3590D6371FB36F77C511120FE599E81547276B233A7A4F41E27BE85D175,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:11.881{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55097-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:14.157{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B498164C8907055579819FDF8A6CDC8,SHA256=19A6CA3F8CF89C23443094F580548ECC95CBE6A9B90722FE054F251E97B78253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:15.593{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116389C2378372B9F7F0F1792075AE68,SHA256=9F67B86FD1406D73AF8B6B8978B6AC53609AC2FB67930331F5B1C3A6D93526C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:15.992{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:15.984{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:15.976{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:15.970{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:15.967{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 354300x8000000000000000310634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:13.517{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55098-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:15.288{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1251034CC6F43AF96FCF426331225A8,SHA256=CC238C731A9736A666F59390EF14662C1582F2A382A92169F6D0CF6695FB2F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:12.606{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61420-false10.0.1.12-8000- 23542300x8000000000000000299111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:16.739{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9A960BAFB9D7CDDDBCE0BD357D2664,SHA256=9EB541B3ABAE5123B4185189D241F6455C0E7919A2307837C929D68DADD9471A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.460{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D195D1400D96039722634C9B16673D9,SHA256=9F287567BACE612BC59D8DFC6D7D7582E85EBA0022EDDF471F57D3126FE31ABA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.274{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.273{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.272{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.267{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.264{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.262{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.259{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.256{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.254{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.250{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.247{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.243{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.240{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.231{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.213{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.211{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.209{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.208{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.207{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.207{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.196{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.182{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.160{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.153{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.145{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.136{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.134{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.132{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.130{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.126{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.125{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.122{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.122{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.120{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.119{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.116{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.113{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.109{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.107{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.103{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.088{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.086{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.074{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.065{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.057{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.048{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.041{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.030{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.005{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000310640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:16.001{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 23542300x8000000000000000299112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:17.841{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C464A7CB957EC2F65C181AB451BEABBE,SHA256=1D42C16F5F39AF2E6BDA1C2F44F590515A5563D307A691B7A2744E5741FA22C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:17.490{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030CB20A42D9DEAC3F9CC9498F26E75D,SHA256=FB30D8573ADD125EEB562D685E0650434D1111B6ACDD5EB28C8F5F12CF56A07A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:15.785{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55099-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000299113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:18.925{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2E6050A3BC401099E880125D906271,SHA256=E57CED35A57DFDDAF0B4E7AB23678D8F1628DE9A6FA984894EB7731E7C62A088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:18.590{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082C4626576953873F4D98D699FC28C0,SHA256=404492031905FAB70A19D4FFC0614A5F993D73F9847B37C8A10E34E0E8570103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:19.626{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADF69AD9A50ED9B03472EAEE849B0EF,SHA256=5840B87C37E44BCFC747A1C557362BA6BCE96C09C7365B51F09607BBB7CF42F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:17.032{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55100-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:20.730{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7704FEF909F107A437EBE96FE14C4D5D,SHA256=D7256A286D51F5A8BEA26FC5AD60AE5E5C39194F5A747343569E1A440FAD8494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:20.439{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:20.157{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA92FD5137308C85A4DDE36996B8A6CA,SHA256=E9295FB5043BAF47461589193B91DC6E72F5B5D097415B99CE7AD877986875B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:18.071{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55101-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:21.860{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EFD8B434733C0343F80E135F403553,SHA256=6A4BF2CE74D59751A549B3D2DFE970349978937864A2425B6B510DE88694FCCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:21.278{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0793ED13D9538E45980EE409B807EA,SHA256=AFB8B128201100CBEBDE48B2F9207A68FCDD75F7279EA50ACB1B367E88C0CD19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:18.541{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61421-false10.0.1.12-8000- 23542300x8000000000000000310700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:22.991{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AEC7D08ACB540A6A844E31C3166845,SHA256=316FC235D43D83A1F9E58E99D494AB1FD9225ECF48F4B8AF24A20F6B8E3B397D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:22.280{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B839D62100AE2B50E1A02AC98A11E6,SHA256=7E6DABC02FB77FCC518325E3AECFD24C2A977537836880B460938373F1916BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:19.887{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61422-false10.0.1.12-8089- 354300x8000000000000000310699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:20.241{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55102-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000299120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:23.407{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F83A9B1FE786D5E5362A8CE9A9878C,SHA256=3BC3D6816DCE1F00848B259C4AAC04FB8CF56C624915F7CC73F71FE059AAC3D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.693{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.685{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.682{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.680{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.677{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.654{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.647{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.635{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.626{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.618{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.606{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.598{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.585{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.578{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.569{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.562{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000299123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.528{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D15A97BF47A30B29C0372357C700BD,SHA256=D43227C2C2A840FE9153AA39BFC19CEB835259A1E30C57CD34A43A9A130F99EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.504{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.500{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000310703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:22.851{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55104-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000310702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:22.519{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55103-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:24.091{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C44C0C5089A6BFEB83AABBBD6ECC75F,SHA256=3353CCFAADD5726BB81B0771C4D7844863AD7EFB247161E01978C92BF3217BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:25.563{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEF7519046F602E59981B3E9290B54D,SHA256=71416804B6B192A32E009E1374B5A231510C1A0109C7F676D4D30C928C7E7134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:25.912{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=57345664408B5E921B2D38F439E2073A,SHA256=2F53DA2BA9FD88242D7E1B101056EB2945269E81CD734519992F11F2BA222805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:25.228{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33906420CDB7A13701B11094A1B7647,SHA256=FAB9DAAD50E2A9AF8892C6D1164EF6AF50E92BD05A6253F1EF04C16632DBA337,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:25.124{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:25.122{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:25.119{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:25.116{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:25.114{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000299195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.833{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08,IMPHASH=9178CB7144790F36275451518A7203D6trueMicrosoft WindowsValid 734700x8000000000000000299194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.833{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DA,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000299193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.833{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.833{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.833{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000299190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.833{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 734700x8000000000000000299189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.833{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000299188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.833{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7,IMPHASH=5CFF0D3EC414472191BC623FB107BCF1trueMicrosoft WindowsValid 734700x8000000000000000299187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.818{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4,IMPHASH=EE3767E8CDC80CCB91A8FC0A7407A4A9trueMicrosoft WindowsValid 10341000x8000000000000000299186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.818{D25361F1-D01B-6305-1600-000000007502}12886224C:\Windows\system32\svchost.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.818{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x8000000000000000299184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.818{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.818{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.818{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x8000000000000000299181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.818{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000299180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000299178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000299174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000299173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000299167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DAB,IMPHASH=8BFED2C4A0A233671E2426106589658DtrueMicrosoft WindowsValid 734700x8000000000000000299165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x8000000000000000299164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x8000000000000000299163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2,IMPHASH=20C3512CFF09FABFB994B8B9DBF73B4FtrueMicrosoft WindowsValid 10341000x8000000000000000299158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.802{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.794{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.794{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.794{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.788{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000299152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.786{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000299151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.785{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000299150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.783{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000299149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.782{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000299148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.782{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000299147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.780{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:26.643{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43A93C984205485E9957FD6620EF990,SHA256=53F7C98F042461134E740B1C204B77C0CE9FC194150CE2F7D341CB82ADC05E79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:24.718{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55105-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:26.343{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799F5DC5724067913CE04D927F574AC9,SHA256=BCBF26F9750747B1DCB2403412273639A23E5F5D335C409585AD37B9E7092022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.860{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F0B7DA29C682787F97B2628ED889F7D,SHA256=C75F035EBAB7954365CA0DB8184DF02324C7AFF35D46D034D2B6A96BB3CC97FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.837{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.834{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.831{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.827{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.823{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.816{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000299223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.816{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC15BC64FDEA3177548E72E8CCA3403,SHA256=800DDBCC68AF8E059F7D5718D21AE7535742404FDE236A3FDDD49DF08F1CB3CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.804{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.775{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.767{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.753{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.726{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.716{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.708{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.702{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.701{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.696{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.694{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.688{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.687{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.685{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.684{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.677{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000299206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.677{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000299205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.677{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000299204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.677{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000299203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.676{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000299202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.676{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000310708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:27.474{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B640A3FC3D3CB68CAA778A012A0FC3B,SHA256=277F6D2CFF4A390BAE06BC1D3A05CC8375D155D0EC28DB57C75859E56103EC7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.181{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.180{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.167{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.164{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:27.157{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000299196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:24.525{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61423-false10.0.1.12-8000- 23542300x8000000000000000299231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:28.941{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2718E69E457647B0AD72A76F47E59D20,SHA256=F73965539077E796319BCFCE37016482FC4C4B1E931E24ECB5081F5C124DEE5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:27.002{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55106-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:28.590{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D0FC7A42A70A08E88D68814713079B,SHA256=E084B1F37D6C627A9D3FBF6C944305E9016324FE89F216DE112395EA0BCC4607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:29.692{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FA1F8C1D63023D210CA714CDA8D44D,SHA256=F3A825CA1E09DE4C0CF9B3687016DC04BC4D8376A09B5A7A39DE1AADA53274D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:27.917{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55107-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:30.811{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAF01E483794A4474A05EA4DFFAC2AC,SHA256=575DBDD05A6271DE63F2692504BB19BB7BBBC550351C1FC3512797C21800E34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:30.058{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28433B1C99F70151E74FCF2E66986C70,SHA256=C337D6798457126A3F79992FE35AA113BA7DF2CABC41C0A914A389F5D90CBC28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:29.285{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55108-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:31.943{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B20B705B59A5ED1C6839C8BEB7EFBC2,SHA256=4EA81E8A8E5967524890BF9DA237EB8957562D5B1464580BA6E1A7F4B48B4E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:31.158{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7E287BD5CF97EB13FEAFEED2EB6093,SHA256=62C108BC2A5A9206210E3D5959D3C273998BEC2E4F635B3BF925F665BBEE9858,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:29.720{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61424-false10.0.1.12-8000- 23542300x8000000000000000299234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:32.257{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE1B6B8B4FF20D62F7258C652311352,SHA256=15E4F805AAC44E27984C1D530A05D48180C13BDC0DC25F52CAD172B8D8FD3253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:33.278{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4648F0A1F61C29707E7DEEC6059AC1A9,SHA256=EFBC035F6D771498685B08C5602DFEF8EA88C2471727B5A3EB60DDDBAD2B31AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:31.469{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55109-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:33.059{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453A2A67412C2A76B6C286262B39C0BD,SHA256=6A0C990CE23496255AB70D414D09212BD935428928C29B4B62D3A4A580C1A3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:34.408{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AB2744D2C4778669D3229396E6519B,SHA256=01FEB1FF0306BA42F1AA0579B6A2E05412FF254CA13EF858ABC6DFD0531A6577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:34.159{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8093B08BC0AF7A8956C2FF2F76C980B,SHA256=5740BDB4E04C97763EB61C935E1473291981A3A23288CBD00E79A7E7799698A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:35.508{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B7540163A711C4E3EC122BB2B688AE,SHA256=5CAE5F2913C7CDC8FBA4DAF99CA1C88166CB9CA2F1C8FD02C93E9EC8217687E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:35.997{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:35.985{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:35.976{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:35.970{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 10341000x8000000000000000310722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:35.966{F6DB49F2-D1B7-6305-CA00-000000007602}48604640C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318E190) 354300x8000000000000000310721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:33.897{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55111-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000310720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:33.655{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55110-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:35.274{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FF5245A31165B105CD03FCB5131A94,SHA256=B2F280EE11376B22D487D6A5C5E473C24750D8AA042149A718E408F9586BD0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:36.638{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D962B50D9E6F35C5E03C62A031BEEF,SHA256=9E72F4B250CD1D6A13946C138F15121A74764D47EEB7A478132CA3BF079D3FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.570{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8460DB2B93D1F85CE1AAA9070798832E,SHA256=2C9B9C7A92CAEDF6C54CA23E337906E09876BB27F3D8C33D8BC1CAE8996C09C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.388{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.387{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.385{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.378{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.374{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.371{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.366{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.363{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.360{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.357{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.351{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.346{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.343{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.332{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.297{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.294{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.289{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.289{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.287{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.285{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.260{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.243{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.209{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.201{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.190{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.182{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.176{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.171{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.168{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.164{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.163{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.160{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.158{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.156{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.151{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.146{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.141{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.133{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.130{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.125{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.112{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.106{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.092{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.084{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.078{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.070{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.058{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.043{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.013{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000310727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:36.005{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000299242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:37.757{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E45E40C42E5096299E23FAD1686051,SHA256=467BB5EA4621F0E7FBE20E2EE77DC6B586E35487A6FDC3DAB83EC07A7FE4E3B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:35.955{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55112-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:37.316{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDA0BD9713FFCA1D8CC03E5DEF2C65F,SHA256=1FCD14F913A93155DB74712D0D957DB3418C3D807C7B7F4929867DE4DD7708D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:35.471{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61425-false10.0.1.12-8000- 23542300x8000000000000000299240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:37.408{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6711471C9C23CA6BD204AD4AB6CA499,SHA256=D9422DDE7B6292E4A16D8758F38421B33A85E9CE430DEE3CADAD94C15B87F36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:38.892{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CF405AC0BD0E77770D94FD8EED14DC,SHA256=C2C2C29B2ADA80793E7BCBF93E6BA10A6EC2551D2028C84463D1F6AFFF55E90D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000310835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.992{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.992{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.992{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.991{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.991{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.991{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000310829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.381{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DA,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.381{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 23542300x8000000000000000310827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.416{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3579DB1505DFFB5817B2198FEFCCCBA4,SHA256=A7914F6D342C3D5EF75372AB1C1A517DAA4736DEB01F35B5F777EA406D0A6F94,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.381{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7,IMPHASH=5CFF0D3EC414472191BC623FB107BCF1trueMicrosoft WindowsValid 734700x8000000000000000310825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.381{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08,IMPHASH=9178CB7144790F36275451518A7203D6trueMicrosoft WindowsValid 10341000x8000000000000000310824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.381{F6DB49F2-D01C-6305-0B00-000000007602}6241224C:\Windows\system32\lsass.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.381{F6DB49F2-D01C-6305-0B00-000000007602}6241224C:\Windows\system32\lsass.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.381{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000310821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.381{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000310820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.365{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4,IMPHASH=EE3767E8CDC80CCB91A8FC0A7407A4A9trueMicrosoft WindowsValid 10341000x8000000000000000310819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.365{F6DB49F2-D01D-6305-1000-000000007602}9243388C:\Windows\system32\svchost.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.365{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x8000000000000000310817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.365{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000310816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.365{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.365{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x8000000000000000310814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.365{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000310813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000310811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000310807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000310806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000310800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DAB,IMPHASH=8BFED2C4A0A233671E2426106589658DtrueMicrosoft WindowsValid 734700x8000000000000000310798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x8000000000000000310797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x8000000000000000310796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.350{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.334{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.334{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2,IMPHASH=20C3512CFF09FABFB994B8B9DBF73B4FtrueMicrosoft WindowsValid 10341000x8000000000000000310791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.334{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.334{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.334{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.334{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.334{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.328{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000310785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.328{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000310784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.320{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000310783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.317{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000310782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.317{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000310781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000310780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.312{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000310838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:39.932{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A7DBD64BBFFF2E44214CF1EFCC829A,SHA256=59018F87E9DDA87249303BD2D2DB599CCAF1B2019A4821EA7B8251E1936370E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:38.144{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55113-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000310836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:39.413{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76093C25D691D8B8B82FFDCD861C4C98,SHA256=1168E2D2AFB62757557CB94080B2704EF186ECA623E02F18BD04E119DA5D3763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:40.463{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797ED3B9B07EDF0D811F25F39118D600,SHA256=77FAAA043864C8B4870EFCE10BADD7C02E10480F3FA79709E22DC8E04727C217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:40.009{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640E227986207486B0E4A6C930582B44,SHA256=B2A6D2D210B98AD3088650CE1EC7B4797B9471B772438E7296322B7447E9C707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:40.080{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0BAEE58A8D22EFEA4A22948BF8936DFB,SHA256=38944320A3931D4A5CEEC5BC9C24A79C07DEE308CF08B3E38CE5B08410B12E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:41.563{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=873A3E406B5C15C89BA4669F3A3A4E5E,SHA256=E321F5876425BD3D6B71DBAE622034BFC7EF493BF36A09A7A9D700197BD0B9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:41.422{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8D2BBD711556A81BDEE4903C1DBE6A95,SHA256=110146E4F283175569B589776D8DA680CED50B1C1366A4ABA0E263B0E355B7E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:41.123{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E37541DD4BE15FF46374E56191E45C2,SHA256=7CA3BDA4BE101327ACF39491CA0C6FA4B0308E4F905D020AA24F9D05702784DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:42.762{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A97CC79A6DC33B796CA0A467AB302694,SHA256=1EFB126E46E1C1EB1A2F3395EEFC6DDB169AC4E4183C8BF141E6EDFC20CCB504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:42.714{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0EE9A4F02FC2C1AB9B09A9E96556E6,SHA256=698A68B5E1381710E5EDD9D7D69DF986C8A38CB6D172E3841AB3413A8178F6A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:40.618{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61426-false10.0.1.12-8000- 23542300x8000000000000000299247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:42.222{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F992BE04F7B493AC573A2ACE09A27D,SHA256=0B2F2BD13294545D457864487D59D892A486F381E0C59819A55EB01763916D5E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000310853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000310852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009a8a31) 13241300x8000000000000000310851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b798-0x682219d0) 13241300x8000000000000000310850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a0-0xc9e681d0) 13241300x8000000000000000310849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a9-0x2baae9d0) 13241300x8000000000000000310848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000310847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009a8a31) 13241300x8000000000000000310846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b798-0x682219d0) 13241300x8000000000000000310845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a0-0xc9e681d0) 13241300x8000000000000000310844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:03:42.411{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a9-0x2baae9d0) 354300x8000000000000000310843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:40.443{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55115-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000310842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:39.855{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55114-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:43.892{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B50DB238858878C4EF17B1154E5963,SHA256=CC5074655BB7BF7DDFB9BB33A5210336A40F02E95554BB022D78A949CD1A397E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:43.455{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28DE9DC3D494D0DADDC75374DC117F8C,SHA256=477D1DADD38F50580CBDD7A5BACA949BBC9405371E856023C927BC13BB509279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.679{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.669{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.666{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.663{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.660{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.636{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.630{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.618{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.612{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.605{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.595{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.586{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.574{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.564{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000299254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.556{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38447A5CE3CAACB3F1089E57628741BD,SHA256=2BA0A3B54B1CC6CCED12E1F18E3888329A82EB0CCE0CF3C216FD27657B2BFAB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.555{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.544{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000310857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:44.061{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.490{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:44.486{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000299274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:45.624{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D01106A3277A7933AA6605D71D5ADD,SHA256=00A0551B9F4D9538CF33C81E67B2758C14BED92212A63569D4E644293C27107F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:42.642{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55116-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:45.009{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D750F784B9B4CA6BB95078882EE8AC,SHA256=C6CC36975C2321FA8BC2EF33B7514C48BA5103F76F82580E735BDA29611B6717,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:45.119{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:45.117{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:45.114{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:45.111{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:45.109{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000299275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:46.855{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7944779BB4960029BDA9AE59499EB2,SHA256=CB18AC36378C63A61D3C6553F530D8DAE877E1FB543097B181A71584CAAFBA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:46.147{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813D7451BC379C615BCB29AED383E0D6,SHA256=589B69A866BDA00BFFCB572A5A2B4F86229871CD4AD2A310503A1267BB314203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:43.836{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55117-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000310863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:47.163{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA5AC8B07037491296ACFA0E4C413F3,SHA256=D6FA36BA312AF82B9DDCC73A576AC989C2AEB21756C718A1F7DA9DB2992384B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:44.922{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55118-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000299330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.782{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.779{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.777{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.775{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.775{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.774{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.773{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.772{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.769{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.768{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.761{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.740{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.733{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.724{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.706{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.701{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.694{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.690{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.688{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.686{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.683{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.681{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.680{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.676{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.675{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.158{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.157{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.149{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.147{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:47.141{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000299332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:48.205{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82DDC37FEFA9DA81C1726A3EADF352D,SHA256=D973582B0FF0183E9352AAAC485F9A879868D4F96C1FDD86F3F1604DCB44EAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:48.205{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D50C033F022C8317BAADEC7891B1D87,SHA256=3562A5AF9FDE3DB8210E6C979009432170D61E965FCF138337EC68D7D13F63EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:48.292{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A248B34505833D9A74002FFE99CD609,SHA256=4AECDF7A1223A62FDF2F4185AE69C71018928DDC132ECDE840F07CD4305AFA53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:44.976{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55119-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000310867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:49.407{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF38D403D0D0F5C0458B5C300EA495F,SHA256=EAE696FD2B22AED833BB62B8F15BCA8726731CAEDC2C2361D4D5C6DF3A5ADB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:49.322{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5E823091877784695757CFFB7BE375,SHA256=290E844AF5A1DE57166DABF7BBA59F319B16FA978F95BCFC62D088BFC450CE87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:46.558{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61427-false10.0.1.12-8000- 354300x8000000000000000310866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:47.202{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55120-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000310868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:50.541{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597F2BEE12B6DE67B62C81C494FA1B87,SHA256=2F7DEACB5E77F737D9BDD20D30A1376317F2BDD592D6C4DF6805A4C15662622A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:50.435{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A477393E8F392CD79D052CFF565B32BA,SHA256=44C5C53C1FA51A4F4C7342DA027911D850F1CCF89C883ABF9BE57FF5E9E3E9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:51.552{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6149A8414622B8329DC0760E2165F157,SHA256=91CE34CA6568A39D7E7ED92D6CCCE519535377FCDFFA737D71C18872597F364C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:51.572{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E32578C28C6A19E8C9FD1A95033BD50,SHA256=10FB8DFAF4A2369B4A21CBF41F3E2012B1D2E7BFC7D2B70A4CE90BC0300E9419,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:49.400{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55121-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000299337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:52.652{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7184227ACBA7BE5B5F7C5834ECE6D37F,SHA256=93E93417330264AF558DEF3F71AE6C71EDF124D3F7B3517650071F657D3331E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:52.671{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AD72CF30E2341F37A33F3537695539,SHA256=0F3FE2B5A05C682E77396078C9997BECF40C8E1D08D0C1EFE1E28C5F3F54D561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:53.772{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFFE5EDF4D264DCEE4F28E79C564CCF,SHA256=D4A03FC835F8F7442F625E911279D73C981942551114FB428DC2B9652B03DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.605{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-163MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000310923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.224{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000310922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.224{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000310921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.224{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000310920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:50.994{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55122-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000310919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.071{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000310918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.071{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000310917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.071{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000310916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.071{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000310915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.071{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.071{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000310913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.071{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000310912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.071{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000310911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000310910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000310909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000310905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000310904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000310902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000310899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000310898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000310897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000310896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000310894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000310893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000310892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000310890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000310889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000310886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000310885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000310884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000310883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000310878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.055{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.056{F6DB49F2-F789-6305-B505-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:54.902{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233C1DF933DE2D9CACF07BAD39B56305,SHA256=F2936856005F44B3DB047D11A8E663D07286A4AA5F579D2391A06813C47A8E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:54.607{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-164MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:54.171{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBACA74DB3DA9BB144B3602B1E23F65A,SHA256=6E947C829FBDF965023E93D1B107857AE341230E55E38AF2EC2C08A60EB7ECDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:54.171{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8EC09BF94195B50F15BBE85E65A346,SHA256=AEB14A74504BD2BD78C51757E81BFCA25F250E880754AA74F29F73B3575A1585,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:51.583{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55123-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000299341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:55.952{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D748D07F510DE8A7520AD41BFDCD56A0,SHA256=BCF32BAA7880826093A2332DF52BC9B74F42313804A56F2FAF16788C5019A175,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:52.536{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61428-false10.0.1.12-8000- 10341000x8000000000000000311044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.992{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.981{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000311042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.973{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000311041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.972{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000311040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.972{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.972{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.971{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000311037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.970{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000311036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.969{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.969{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.968{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.968{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.959{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000311031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.959{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.958{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.958{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.958{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.958{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000311009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000311008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000311007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000311006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000311005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000311003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000311000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000310995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.942{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.943{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000310988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.495{F6DB49F2-F78B-6305-B605-000000007602}57201220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.495{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000310986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.493{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000310985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.390{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.390{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.390{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.388{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.387{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000310980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.387{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000310979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000310978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000310977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000310976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000310975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000310974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000310973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000310972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000310971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000310970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000310969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000310968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000310967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000310966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000310965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000310964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000310963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000310962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000310961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000310960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000310959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000310958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.287{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000310957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000310956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000310955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000310954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000310953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000310952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000310951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000310950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000310949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000310948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000310947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000310946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000310945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000310943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000310942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000310941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000310940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000310939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000310938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000310933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.272{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000310932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.273{F6DB49F2-F78B-6305-B605-000000007602}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000310931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.240{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1881D5C1C03D77EF788534E3A385E95F,SHA256=0387DD97180808E8CD0225D9D5A06ADAFFF31696411CEFF9D42313A5B3CB6CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000310930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:55.192{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4159FDCE32FE6328E473EC1E12DA066F,SHA256=92F6219DC25CA115AA69C66DF94715376B8FDDEB84F1CFCCF7FF2FD54B5AB24C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000310929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:53.866{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55124-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000311101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.513{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.512{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.511{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.507{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.504{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.502{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.499{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.494{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.492{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.489{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.486{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.483{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.480{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.472{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.453{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.451{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.449{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.449{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.447{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.447{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.437{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.426{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.396{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.383{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.376{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000311076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.370{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7CD40694182750EF13381FB471F483,SHA256=DD9856D0447ACFD575D81F673D521E7F1D87EBBFC1E694D400A0C5F687A29D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.366{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412FBF0E0F22D6C41186BC49F87E0B49,SHA256=30094CEBD8DFD4F5DEA8BF9CFE3317CEAD124340ACF29BA0B8607D8113E4D98D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.365{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.361{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000311072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.360{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D2E8E64FC2CBDC6315952D3CCD8384,SHA256=AAAC259C6EE05D0EB3FF9A8A398559E0EC7A3B41EE15FE8BCBBA66A980289E85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.358{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000311070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.146{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000311069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.146{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.146{F6DB49F2-F78B-6305-B705-000000007602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000311067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.134{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.132{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.131{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.129{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.128{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.124{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.120{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.113{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.109{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.103{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.101{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.089{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.081{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.071{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.064{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.056{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.045{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.014{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.008{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000311045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.001{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000299342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:57.051{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A867839258769B2FCCCBF78F63C7581,SHA256=F9475DBB5EBA58C0FA3541FE15949A31B8EF3CEF99A4CC0F613A63EBE290E38B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.742{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000311152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.742{F6DB49F2-F78D-6305-B805-000000007602}26562920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.742{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.729{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000311149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.559{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000311130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000311115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000311113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000311108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.544{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:57.545{F6DB49F2-F78D-6305-B805-000000007602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000311260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.975{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000311259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.975{F6DB49F2-F78E-6305-BA05-000000007602}23004692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.975{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.975{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000311256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.812{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.812{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.812{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.812{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.812{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.812{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.811{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.811{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000311236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000311221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.790{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000311216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.777{F6DB49F2-F78E-6305-BA05-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000311209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.775{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A343C032081F81F2B601C2010F19F0,SHA256=836A7B8464C581441320DCE03D2FD0D7AECB504FD91CCE2E5A8EAF3F5B088A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:58.152{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0940B2F5F00947D5F3928E08C7A130,SHA256=DD6D5E9F512C4BB2F969F0A33296680608A300143BABB0222955B50B48DB6E36,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.411{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000311207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.409{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.408{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000311205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.343{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B13AE76432B853C6E36562D905306A0,SHA256=FEF9088AFDB2EFCA98091103C4AB41664B3395EF467C006C78963739D91638D4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.227{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.227{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.227{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.227{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.227{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.227{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.227{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 354300x8000000000000000311197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.833{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55126-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000311196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:56.069{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55125-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000311195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000311187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000311170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000311166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000311161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.211{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.206{F6DB49F2-F78E-6305-B905-000000007602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000311154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.007{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376CD3196EF6BFB180AB1D7DEAE170C1,SHA256=387BF03D76FD70A373CC88EDAC000C264B8A81E96E64EC823082F2AF86A8A73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.910{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB2D944B8EF810C6CFFB9BBBA901C23,SHA256=113A19F4BDF9FFBAA0B8B01C537E05F5D60F303F4E32E57013F825AC8D2EE9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.908{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B1647F084F80DDB36F5313DF23EC22,SHA256=0A026E8E06D74594E6ACD314647893145BBC8E3F87E7D05F52FE2C7722673010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.890{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B14ABEADED819FE2060366DEB1996A,SHA256=BC66EB242DBFC8DEFE842B6B18BCC17786FE784C618EA528F6E4271C966A8FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.890{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32E3D1E020000D13ADF8F67E5D0D0AAB,SHA256=16AB244010E1DE0CEEDE308CDE55A757D819AEFE5BA7E56DB810AF3A9CDD17DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:59.250{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCA24D613079F88C8878C7BCE8D07C3,SHA256=316535F78C7F68FC4A5A08CACBF972F252CAA91A553DC787E7260FDA46F71063,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.659{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000311344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.659{F6DB49F2-F78F-6305-BB05-000000007602}47485276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.659{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.659{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000311341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.573{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.572{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.572{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.571{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.569{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.569{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000311335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.458{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.458{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.458{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.458{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.458{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.458{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.458{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.458{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000311315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000311300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000311295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.443{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.444{F6DB49F2-F78F-6305-BB05-000000007602}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000311288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:59.327{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000311351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:00.929{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8585E513C4A821FDB1E2B1A3533B58C2,SHA256=8CB127220AD6A5901AF3486F3A0BB96CD9695E0DA70CCE228D6453A18E27CCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:00.370{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9277D83DACC7EA104B70E79ECE12F5D,SHA256=A7AAB93AB3870EF968BA60D3A5664D5AECEE101B4DE0E88450595CF8B2DA1BFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:03:58.350{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55127-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000299345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:03:57.566{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61429-false10.0.1.12-8000- 23542300x8000000000000000299347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:01.485{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08F8C72FABB618F8BE31C292B548FB1,SHA256=E75BC74CCCD64755798AB3DFA4926DBB99022E81F80AF52BF8818615D49A01B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:02.585{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66167C1F0A9904A2DA3396A9613B43DF,SHA256=6C06781631C814AB8381FD0ED28B28D8D21E93B4AB6E0D5B109A49BC4B1D58A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:00.640{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55128-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000311352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:02.046{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76018229A413C6981603306DA35ECF6,SHA256=3C963716E1562912D3B31A612EA44761595634A9DA4A207930612FF4763F9B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:03.694{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6030A8AC83A1FA9CF4FADD4EBCD1C0,SHA256=FA09914EA6FEF8976CAE213F7930F0E7A4465E37226EDC0B8936B6DEB8C5B2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:03.146{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DB7318BF881EEC4ED38BA093006AB2,SHA256=B3B1F78829E548A94E0B0FBEDDD88D910266F2A7DE7F5F90DD491B0D6D7EF438,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.779{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000299368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.778{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4021D1DD91A67A803533071FDE072DF5,SHA256=79A19651CD2703CF6D6211086D7838AFEEFED71BD720E4EDE17BEE9CB2509CC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.769{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.763{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.760{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.757{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.704{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 354300x8000000000000000311357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:02.825{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55130-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000311356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:02.036{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55129-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000311355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:04.277{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B22A6DE8D4906DBCB18A76E637A5C5,SHA256=E341E3F410906CC1CA21ABD0857F5671AA702AF8290964ABC486FDC5C476F96A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.693{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.672{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.656{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.648{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.632{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.616{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.600{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.587{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.571{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.555{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.494{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:04.491{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 354300x8000000000000000299350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:02.580{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61430-false10.0.1.12-8000- 23542300x8000000000000000299376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:05.739{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4B843D971A1B83A9C2AF4DAA52E6BF,SHA256=9DD2CD91729D80B0B2A2936B17504D8F3F0BB9536A642FAFBAFBCB2C727D816D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:05.310{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6869EE008BAD760484BF8A75D7FE6B,SHA256=F04A8200966A20353BCC09A402ED85EF3763F638BEB281ECA6825C3C9D7D699B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:05.267{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-163MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:05.204{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:05.203{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:05.199{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:05.195{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:05.193{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000311359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:06.394{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA59D74D22E37809B07C136BAEBD371E,SHA256=BF4A9A096D251D652516FB557210DE19681B9D5955C20639CE4603963738A1C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.987{D25361F1-F796-6305-5D05-000000007502}48765416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.987{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000299483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.987{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000299482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.971{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54DD56025B00B6EA08F8DC39E3CA805,SHA256=3205B0114E075FBE06E25126888541F67DFD8553BF2C890B899ADE3EC78737EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.813{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DDD4D846B93EE8EF4A752B7507035A4F,SHA256=E45A0FD6C34EB3B51DB2713D349B23C21991602728895664E1171CEC540B39E9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000299480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.797{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000299479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.797{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000299478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.797{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000299477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.797{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000299476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000299474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000299473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000299472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000299471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000299470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000299469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000299468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000299467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000299466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000299465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000299464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000299463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000299462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000299461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000299458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000299456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000299448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000299444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.782{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.780{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.780{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.779{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.779{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000299439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.779{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.779{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.779{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.778{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.778{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.778{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.774{D25361F1-F796-6305-5D05-000000007502}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000299432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.332{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000299431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.332{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000299430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.332{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000299429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.263{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-164MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000299428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.170{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000299427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.170{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000299426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.170{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000299425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.154{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000299424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.154{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.154{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000299422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.154{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000299421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.154{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000299420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.154{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000299419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.154{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000299418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.154{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.154{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.153{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000299415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.153{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.152{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000299413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.152{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.151{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000299411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.148{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000299410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000299408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000299407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000299405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000299404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000299403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000299399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000299398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000299395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000299394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000299393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000299392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000299391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000299388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000299383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.132{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:06.133{D25361F1-F796-6305-5C05-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000299614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.970{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000299613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.969{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000299612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.969{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 354300x8000000000000000311361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:05.102{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55131-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000311360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:07.511{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398AD3107B5BD230C15B38D4331F33E7,SHA256=16544CA919BE903CB4C3D30B103DAF69C13906ED486BCBA64FDEFF4D8CCCE202,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000299611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.968{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000299610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.967{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.966{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000299608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.966{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000299607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.966{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000299606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.959{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000299605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.959{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.959{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.958{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.958{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.958{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.958{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000299599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.957{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000299598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.957{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.957{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.957{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000299595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.957{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000299594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.957{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000299593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.957{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000299592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000299591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000299590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000299588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000299587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000299586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000299583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.956{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.955{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.955{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.955{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000299579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.954{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.954{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.954{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.953{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.953{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000299574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.952{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.952{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.952{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.952{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.952{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.951{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.947{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.947{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAA3AF5A5D58C46D8838B8BE0A5B251,SHA256=49AF2B137B0B805CA3C194E829F2BFCE43FD9BF5C6C68648AE603C4F8DEAC7AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.892{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.890{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.888{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.885{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.883{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.880{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.879{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.872{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.853{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.846{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.831{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.807{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.801{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.793{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.789{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000299551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.782{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.778{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.775{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.761{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.760{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.758{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.757{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000299544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.702{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=020D7249C6AF333FCBF9823CEB2B934B,SHA256=7A9A490C6BD4D2EEFA502E990443DD8EDB3AD036C32988318B8DDBEFEB4B6967,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000299543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.502{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000299542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.502{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000299541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.502{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000299540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.371{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A2738F3C3072C0B5672615FD40988C,SHA256=790F9D74EAFE577955D239283D653081B900706D518376C67590BBAA7051A1EA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000299539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.331{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000299538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.331{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000299537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.331{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000299536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.330{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000299535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.328{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.327{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000299533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.326{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000299532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.325{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000299531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.319{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000299530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.318{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.318{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.317{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.317{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.316{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000299525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.316{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.316{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000299523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.315{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.315{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000299521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.315{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000299520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.315{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000299519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.315{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.314{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000299517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.314{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000299516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.314{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000299515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.314{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000299514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.314{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.313{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.313{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000299511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000299510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000299509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000299504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000299503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000299498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.301{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.302{D25361F1-F797-6305-5E05-000000007502}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.253{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000299490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.252{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545F212FBC37C9C8B07AC90A7CCA5439,SHA256=DAE9CCE394E3F1EDF28CEEED7BF2B23B95262364574E5DFC1970707540B20FA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.252{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.241{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.240{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:07.234{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000299672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.949{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAC48AC9B72A444496EC83CC0DC726F,SHA256=A49B68F19D889E1A244991B388ABCEE21A9D2905799A952D74AA43099A34B653,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000299671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.805{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000299670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.804{D25361F1-F798-6305-6005-000000007502}6366924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000311362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:08.614{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7F3EEF039AFBC2F0625FD33E7FB01F,SHA256=43C21B2714B57122E09AA1C2A0740BCB80610C45E8DC240F0290F997E47D5CFE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000299669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.791{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000299668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.791{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000299667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.633{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000299666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.633{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000299665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.633{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000299664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.633{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000299663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.633{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.633{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000299661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.633{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000299660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.633{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000299659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000299658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000299653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000299652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000299650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000299648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000299646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000299645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000299644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000299643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000299642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000299641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000299639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000299636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000299632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000299631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000299626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.617{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.618{D25361F1-F798-6305-6005-000000007502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000299619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.133{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000299618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.133{D25361F1-F797-6305-5F05-000000007502}64082092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.133{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000299616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.133{D25361F1-F797-6305-5F05-000000007502}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000299615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.026{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1435246E25D6F2319A2BAE973FC170,SHA256=510BE88B0DADA9AD2CB4E608935DABB53B27CF93B1AD85895D5DB190EE3455FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:09.749{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5D3163E5BB3CD41393937D3E49C339,SHA256=CB2E2C3A5DC2731814B3079791E84751428F66D6AE99AC413DDFAA9F79F31C41,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000299723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.547{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000299722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.546{D25361F1-F799-6305-6105-000000007502}50847148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.546{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000299720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.545{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000299719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.303{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000299718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.303{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000299717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.303{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000299716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.303{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000299715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.303{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.303{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000299713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.303{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000299712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.303{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000299711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000299710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000299705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000299704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000299701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000299700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000299698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000299697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000299696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000299695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000299694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000299692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000299691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000299686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000299684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000299679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.287{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.288{D25361F1-F799-6305-6105-000000007502}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000311363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:07.405{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55132-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000311366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:10.779{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD5AF87B6EC8037FEE0B72012B521D0,SHA256=D6347E3F92CD83E951AA69C7D68577C12C5FDCE56233A40A28DC2923BA1CA891,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:08.535{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61431-false10.0.1.12-8000- 23542300x8000000000000000299724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:10.080{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C1651D49BA5877628703570C57A450,SHA256=9306F06CF1296AFDB94AEC8847CDF19890108D8F8EF4B26C684F0C9F981E1DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:08.000{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55133-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000311368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:11.912{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2C4B1C3979B7D543D67478C577C732,SHA256=4E805704CE6A6E407A63A6E52F08DABDBC8EA13B1C4BC5C1D1F313D2CF703B92,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000299779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.795{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000299778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.795{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000299777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.795{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000299776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000299775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000299774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000299773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000299772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000299771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000299770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000299769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000299768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000299767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000299766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.611{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000299765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000299764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000299763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000299762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000299761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000299760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000299759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000299758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000299757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000299756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000299755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000299754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000299753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000299752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000299750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000299748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000299747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000299746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000299744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000299743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000299742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000299740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000299735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.595{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.596{D25361F1-F79B-6305-6205-000000007502}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000299728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.092{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61432-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000299727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:09.092{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61432-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000299726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:11.111{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1B0967D324E19E4C86E7A34B816AEA,SHA256=B3FA77F4957A4DE4B35E319E425A5D6EE35A9938ACFEDFCD74260F3DAEC10E0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:09.575{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55134-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000311369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:12.946{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE7D17FEDFE11DA48025632BFCA23E9,SHA256=0E294F0004474B4EE440C581344E78AEEE8F72746DA3FCF6F2054285CA7C3FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:12.744{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A403429079B1EB91DD92015D2A3665B5,SHA256=CE033536343978A618F601A078823FEFBB57FD2F1771F891E47430FE3E8DD402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:12.397{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3BB3B767C34DFAE424488F9EDD5224,SHA256=F6B1462AAAE693A537106D80088BD205427FE22CCFB3032BBADA3184A173DEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:13.985{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE0EB01D6DEFFFD71EDE0B85F89F434,SHA256=7E8CE582897AA7D8A95D023A3660F373BD60C4498F4F14CB5A569683B9FCC494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:13.497{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F2BE1E62CA4BA0277BD18828E2A17B,SHA256=56A7BC45F522E20F448FADAA78B867EEF6C913D7CED50843BF4060BE042196C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:11.858{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55135-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000299783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:14.627{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B835E30367FDC0BE0CB3139B1AC8E9,SHA256=B48FBF46A764A7C23BFF8C9C74085BA08B41723AEFE35F1D81847829DC3743EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:15.761{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6796ED84B38AEF417F3E09CB24A10EC,SHA256=2EDDB37DD76B861FCEC1FB73B37E5F08E009CE861BD877FC443B628392ACA707,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:15.986{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:15.968{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:15.959{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:15.957{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000311374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:14.141{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55137-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000311373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:13.882{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55136-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000311372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:15.094{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25C72DC47F820DBCE9F47BA6BD9E56E,SHA256=92291DC0F54C07A0CB75300178D9D02269DE899D5D111F6126DA248BA923AB7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:13.707{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61433-false10.0.1.12-8000- 23542300x8000000000000000299786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:16.844{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D1DC64F9A70CED221CF9BD441F1B3D,SHA256=EC4FC8A8E50A81F66250D61BC7C1FDCA81DE0DBD215DDD14DB308792ABA762EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.378{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.377{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.376{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.366{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.359{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.356{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.350{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.347{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.338{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.335{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.331{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.327{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.324{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.289{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.286{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.285{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.284{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.283{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.256{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.244{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.217{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.207{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.195{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.189{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.187{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.184{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.181{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.178{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.176{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.173{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000311398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.173{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A8367BC365B619B51ADCA398448B8A,SHA256=3B815E4F20C0D6D16EE19B38E2C7EFD8CA978CED9A88FE46D64CB5588173FEF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.172{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.170{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.168{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.163{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.160{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.153{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.145{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.138{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.136{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.116{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.106{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.097{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.087{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.076{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.055{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.017{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.011{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000311379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.000{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000299787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:17.964{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C513A7837D74A61BA32074111B6FD9F6,SHA256=FD60AEF2A4E2992B7C08DB36EC0666C37447ADAD4909F371C811955FA42C854E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:16.343{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55138-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000311431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:17.694{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BE04EA2B18218D58B3E6650B55D7D1,SHA256=F90FD3B717EB27D3BB46A27754B250A98C42E63F6AEE9D113493661DF03CAB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:18.762{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F69BBF685D59939C73BE8F2E6A34161,SHA256=4B683A3DBE081FC67F7AB20AF3B4F87FAD201459EC8BAC1A6D6F6FF7BB765E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:19.793{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1566D85DD702453934C44E3FC6BACB58,SHA256=B5EE69AD6ACC4494F35D5C35A2D66D9559B6F178B6F9EB95CBDC27E0F320D1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:19.053{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B469A0BC9E8D15055EB4AC804C1D816,SHA256=53BAE1DA8C9AA8B8491D7E705EDCB1AB79FD50BB3CC06C2935C478DCBC02375C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:20.911{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91821F039CEDCB3128975D17955A499,SHA256=A53ADA6A823F955D9909DC6DE3D147B1C27F4DDD9322F15C43E7CBB5BBBE7F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:20.466{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:20.164{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCDD62FA8BFE52C633486531D8CB6A4,SHA256=35E5FB6F2CC5002FB36AD7094DF6531EE08F6E50E930C0DD01DEB927C2779A81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:18.642{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55139-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000299792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:19.648{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61434-false10.0.1.12-8000- 23542300x8000000000000000299791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:21.284{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3F8AC7F8708D1580578CD757D2872F,SHA256=6286610D1F3256377B315468A28E62264BE0B2C472CB6CD955064AC63D0EC7E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:20.924{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55141-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000311438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:19.839{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55140-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000299794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:19.911{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61435-false10.0.1.12-8089- 23542300x8000000000000000299793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:22.382{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED670536EA58F505355D4E84F559DD1,SHA256=A19A8C9BF707C1B76023C1B2C788EFFCED8484939633E456B3EE430CBE458CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:22.012{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F06DC716F92095F2E6CA913362C78D1,SHA256=8F87AF5A321261093C116D002EB1F4E459911D1D48A9056C3A5722E370F2E607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:23.498{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15576741F730D5DF42CFCBEFC3FAFD1,SHA256=E2AC0CE8EE0C4AE2EFDD250897D5B52F06702BB03E3276645536179DCE363C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:23.011{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F021A2096F99D6216755FEF8FEBC27,SHA256=3553A8CF0B37A8CF58B270855B9F9D50BCC9FDAFEAE6D8DF970A8BC43E765ED0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.693{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.686{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.683{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.681{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.679{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.650{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.643{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.629{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.623{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.617{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.609{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.600{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000299802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.589{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDF1B5312E97FECC6AD8AD1B75F8791,SHA256=045AE404C091412A43B6C674642A5E6AD8AC2A6998F9379FC09F89AD5EBBFFE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.587{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.577{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.562{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.546{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000311441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:24.029{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC93186DF3E936F9CC4AB05934B6A402,SHA256=1A4A3D14DA0CC3E4B1C99B12C6F391883B9943BD8B94A5DFD59946CC8E6EB1F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.489{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000299796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.486{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000299820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:25.646{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D9EA8EBF292E323E67AE37B58A1D91,SHA256=F317C01C3C20001D6B58EC7ABD69D3BD490AAFC004F01BC471D351922CFD494D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:25.460{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=71ACDC18A667F345E9E91EFC8807AB77,SHA256=77F5CD37A0B8F7A5EA40C6320304468133168F591FAFFD4E981086566DE5187F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:25.129{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C4ACF14C3AACB126A6ACEC11471047,SHA256=6C12E0FB99BC86D7358AD8C34E614910A232B8DB6E0D885B402C518F81A3C808,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:25.145{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:25.143{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:25.138{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:25.137{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:25.135{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 354300x8000000000000000299829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:24.669{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61436-false10.0.1.12-8000- 734700x8000000000000000299828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:26.776{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000299827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:26.776{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000299826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:26.775{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000299825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000299824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000299823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000299822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:26.770{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:26.749{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EFD15AA772DC68B4AB6FD3ACA891F9,SHA256=589AE2C83A7212D21C6B8134C821E2CF978A7680F66A53A2B68A45AD1114A699,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:25.487{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55144-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000311446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:24.935{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55143-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000311445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:26.214{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E269F467BA269A0627197DAACC59AAE0,SHA256=D9F9253977594F28819D2212BA0D33A32155E24860439A4A0FACF381FFBD9732,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:23.203{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55142-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000299857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.890{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.887{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.877{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.874{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.870{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.866{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.863{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.850{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000299849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.825{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274D1BAB1DA2B9E4A859491FB2670975,SHA256=D1AB43354CE02158446B4C4E6AE8882403FC5C63CA21ABAB0C4ACD46FE0B107A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.823{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.810{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.800{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.781{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.769{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.756{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000311448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:27.296{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4834B240158E1667911021DCD86BA13D,SHA256=7E2CEE6AFF33A8118517527850E534C714F05E85FE903D306452BE3BF59D6709,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.746{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.743{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.740{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.738{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.735{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.734{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.732{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.731{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.223{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.221{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.209{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.207{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000299830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:27.200{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000299858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:28.946{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E80FCC5478B228ECB6E4B429F5C177,SHA256=AD0008100F906BBAB76B220A350DF4BE38CB7AAC87BA31DBC18D6D4C399641D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:28.433{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACE76476F6DDAD6E34B1F7BE9731086,SHA256=2F5A8E7E94255B3B8D9D4C82896B343B9A627C296DFC2CF55B79387038D05123,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:27.669{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55145-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000311450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:29.564{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15592B7EB404424295CAFF3553AF54B,SHA256=B3FC6177A18619F82F1D4E91305B8EB5740762F3FB11CB02AA75493BB15951E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:30.594{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0744CE56F63848123E7E9F40419F68B3,SHA256=F195055E6B663E264AF6B56DAF2075C51805331F8CBB4051B81D23AEFDA0F497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:30.064{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F4F7C43BB9EC494B6F7C377C796C62,SHA256=6F8FABF2CBB08EBB489F0A65C6DBBF9420208526F77A6D588936B6357D738DD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:29.858{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55146-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000311453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:31.711{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587EA51687ED9E56D36034241085BB96,SHA256=B9DE0E23A1943ACEB7B3A7764BD9AE8A2D405F1FF0E418C1504B33298A956033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:31.199{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367FD812EA2944EB874CB79DB3B7AB28,SHA256=7F145AD350D51620E38831D0EE9DC7770B2715DABBE474DA7ABE70F372CEB582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:32.830{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860EC4E777972052319E96B24148022B,SHA256=E8E0C78781FE53B224DC1A6D891CD147C917DA95CAB9C152F89266FF831F3068,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:30.530{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61437-false10.0.1.12-8000- 23542300x8000000000000000299861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:32.300{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F84827D16F2D995BF87120330DDD955,SHA256=5067B0833857481BB536C48769C6A1AA342D9C3E08B3532DF6AD2890A0992BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:33.632{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEB95F4DB10AEDD0D71A5F07B228B16,SHA256=488DA414E6A64CEB11FEB6B1742F652DA68DA7660A349A3550A5CD0BFD182C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:33.945{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524FEDA4F28D593C50E6BBDBD6283D47,SHA256=96C54014B3236912D75C3BC48CD5C08DD2DB5B39159881E1B3F3AE0BA6ADD43A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:30.936{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55147-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000299864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:34.715{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAD057515D071AEF7BDCCC8A972F83E,SHA256=9FC3D336EBEB20A4A1377B2B8986A181F181118D4C82C78E4CAD50423F3342A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:34.975{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CB88B99C0189B763E04284F79B530B,SHA256=CA47CE357DE3A35376C235F797C3EEB99DAD7308AE8A43E88ECEB62D8A67D33B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:32.141{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55148-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000299865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:35.833{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD75F3739E19B53FA7A7C3AE32B98DE4,SHA256=EC0106C4D94C594B38D5D74E97215D4C1F5379224E406CB80673B8A43A6549A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:35.992{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:35.989{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000299866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:36.944{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDA3FBDBA8AA0F9F9FF0CBD74887957,SHA256=E04D3AB4501C3957762B9C4F23944E57A2BBAB1DC8E6A160C5CDCE891BFACE75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.465{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1CE203B8928A6260EED9F38A77A60E,SHA256=A50E9EF258737AFFA4E58EE0D20D8DD6235CA55D7C248B61CF7FF13F38BE8FC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.340{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.340{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.338{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.332{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.329{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.326{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.321{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.314{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.309{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.304{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.297{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.292{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.289{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.275{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.255{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.253{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.252{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.252{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.250{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.250{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.238{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.228{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.205{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.196{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.188{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.182{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.180{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.176{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.174{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.171{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.170{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.167{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.166{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.164{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.162{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.159{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.156{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.151{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.149{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.145{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.135{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.132{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.109{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.103{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.096{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 354300x8000000000000000311470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:34.439{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55149-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000311469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.089{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000311468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.080{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5E99E29328B92E4EFF32DB5E71A0E5,SHA256=7B1CF401DB29AFCE954FB5C39B30A5B421853129057721FBF8EA28CDD72DE0D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.079{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.045{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.039{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.026{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.014{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000311462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.003{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000299868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:37.981{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CA8BDB2E03502E33D16C888858F0DBF2,SHA256=6013EDC8DAC96C2DD8BAFF2F90CE8B51DA56401B442A7B963B35C60E6E604A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:37.163{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DE665DC2F31D920F5E6AD6DE9173F0,SHA256=E05B83C9F284343CF74A40A084BB600508451AC001C89F997B2E0ECB0799E811,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:35.577{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61438-false10.0.1.12-8000- 734700x8000000000000000311528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:38.327{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000311527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:38.323{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000311526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:38.319{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000311525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:38.317{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000311524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:38.315{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000311523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:38.314{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000311522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:38.312{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000311521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:38.278{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE04B048ECB4B4F647BA2BF853383C0,SHA256=ED8998F0B501B7341F75570B49CECEC335A2EEB4F8972A0AEA159437CC86ECEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.803{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55151-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000311519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:36.642{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55150-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000299869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:38.062{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88319666B05393DD7B8767E03A56FCB,SHA256=964ADF8F2605E34C426D9D95552BAF99F12B6BB2FB44AC7A401B2200E22671EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:39.314{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D89F4FD0E1F0F45E62F86ED61BE51F8,SHA256=3131F1C5574978DE9C6BC60DD571757127AAB4B7413269DCCAB4B692DC05D814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:39.096{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D701CF6EBAE363DC25E77228C51C59,SHA256=18BEFB8757C217E762D9B7502A107CCB7250BF4DF381AEF7A472ECDBE65B26A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:40.450{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F64683E15ABD62CA249D3E46E3799E,SHA256=D527815EAA6A865A5F5B80D8832232648713179A1F8C0FC1AF5F6D2D1E9CE4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:40.227{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C27486AB3955262A241906B2426FE1F,SHA256=8ABF50C5B02B065B895EBBFAD7E283945563CC13E4E6D36F9222BA66DE733EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:41.476{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0A7D3FA21A44B718681A5B8D313FDA,SHA256=3511BFFE7163FC4BCEB37C6CB61A232C46FA2F927EC6ED0762FF87991E799332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:41.426{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6E909F54A27BA10AEE505ACB08A72EDB,SHA256=2873A158B767274876F363C4DEB311C5FCE0634CB0208919C8D6387B000CC72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:41.343{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC368E71095ED5433E00118C2FFEBC6,SHA256=7F6CF8D69BB0498CB674CB757C16417C0E2968DBED99C24A053F3C67E6467E7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:38.842{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55152-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000311534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:42.776{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=916269C6EE80A6D1749EA1EE09969270,SHA256=28735E60035A73A444272976893B50DE8F8B21FEA0F17CC931582B7F5D0A26F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:42.560{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9701CCA9781F4F371B0E2B916A32485,SHA256=B16F0D08B947CC427613E4A56C86D9F8CDFA515D4D7F100AC4EC54F6C566B31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:42.479{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA108348264F93A72FC755FC6FCC8C0,SHA256=B07415C74B6EC79FA132FDF03BAA9541C29681F854D22CEE3626EF0B0C84ABCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:43.660{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F09B32512C1EE5531E66D65DC5B47D,SHA256=30CC273A3B191E5287CF4177E52B29CB70E7D5EB23A780A3EA82CAED9EFB5BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:43.580{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBEC473DD5DBB633658BF1C8041C7AB,SHA256=43905F8E7137B535FE24B59461C363CB30B37A74002E97193AC429E753B76070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:41.056{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55153-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000299875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:40.594{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61439-false10.0.1.12-8000- 23542300x8000000000000000311539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:44.776{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6836B658CE69A820B9143B4EF34A837F,SHA256=F341AE123BE0874B9260E59C285D09671EA0AFACD864329E767A3532A39367A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.729{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.721{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.717{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.715{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.712{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.670{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000299899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.667{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AE94585E94C84EB1C0C40CFC87BD21,SHA256=65306103EFBDA1628CFE3FFEE1B74FEBCC71A5FD8380396DD7C3A2EAB2E46082,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.663{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.647{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.637{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.630{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.618{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.603{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.585{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000311538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:41.966{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55154-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000311537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:44.091{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.579{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.568{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.556{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.501{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:44.497{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 13241300x8000000000000000299886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000299885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009b7aea) 13241300x8000000000000000299884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b798-0x8d25f971) 13241300x8000000000000000299883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a0-0xeeea6171) 13241300x8000000000000000299882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a9-0x50aec971) 13241300x8000000000000000299881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000299880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009b7aea) 13241300x8000000000000000299879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b798-0x8d25f971) 13241300x8000000000000000299878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a0-0xeeea6171) 13241300x8000000000000000299877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:04:44.359{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a9-0x50aec971) 23542300x8000000000000000311541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:45.808{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEE277860FD462EF545EB8EC767A46F,SHA256=819E2FCDA36809149C3E84C5A179DA6D520CAA0A1A939FEDF48E67D9646647D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:45.714{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8246D84592EE56FBB2B2132F5941362,SHA256=1A8E8F0B110499B998C7583B1313F64362F56E4559767927C0E7C6BE9D47F829,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:43.240{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55155-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000299910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:45.186{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:45.184{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:45.180{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:45.177{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:45.175{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000311543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:46.909{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2A1751FA0DD3FA29637951BB96880C,SHA256=16DAF3F70FF6FB243BB5A41F455E13CBCB912737756575743AA6FD888D768F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:46.928{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1781ECEF85E42A4CE414B131ADF64FE,SHA256=9AE1566EBE670E1843D46F8CD571B14CCE6078A2BDBFF80B44DB078F8C4297B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:43.865{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55156-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000311544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:45.438{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55157-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000299939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.920{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.916{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.909{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.905{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.898{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.888{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.883{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.875{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.852{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.845{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.829{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.801{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.794{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.784{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.778{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.776{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.774{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.770{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.768{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.767{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.764{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.763{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.249{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.247{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.238{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.237{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000299913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:47.231{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000299940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:48.064{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890B596C26EB531631696307F5664B59,SHA256=3BCC71D10FE3B146836E6E7981C9FA76A79520E124AD0ECEC844A296E10DD075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:48.043{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3437C9B7674044F64EC4C3FEF834052A,SHA256=32E3EE63E0AC6899C6EAD1F9CB9C2FC3EE7A7B3BBE61D90DAF028E7AD4E5DD6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:47.737{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55158-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000311546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:49.074{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3B47C5D843050702F6402FA88A392A,SHA256=F0657C162017A7C55A4BA88053A5E02EEF7683E85C487B74088ABECB73C7260A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:49.214{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F397B8FB62E4A9D9EA594A144BB00E,SHA256=01E5510F9124F76F1251C27AB10B710D2AF0BEFA660AE928128E97EE3D732A0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:46.480{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61440-false10.0.1.12-8000- 23542300x8000000000000000299943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:50.315{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8E1D158E635FBF41300FC4099CB85E,SHA256=654EB367EC72FD1547D4D87802FA8DA53B11C2B8145BD8215D1C5B3E00DD1037,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:47.895{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55159-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000311548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:50.173{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E44452A5B9D0C347EBCA8C40AA53E56,SHA256=A8CAA2A3F8366368850BDC9AA6D62DEFA5A786553FD13DE98E4E5BC32AEF49D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:51.288{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8EB1450971227B886D4F98B247A994,SHA256=0F9DF6AF7E7A6F27472015C7F6E15A6A46A8F93A8DD4227F48B29BA0FBEBB431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:51.416{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B91B0BC3CAD0FCEEC0F87126E18DDD,SHA256=E03EF06743B0B35DB1949156D5EB7F13D9B4E518EADB6F49EFD22F200FA894C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:50.052{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55160-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000311551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:52.389{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEC70DB45496FC1DC12979BD2EE7843,SHA256=F314A596E3FC7E6F53E2B518CBC288B7F3F01751E138201FE5DB6B5EF4503ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:52.517{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF8C83725A9F0A3B4D24A0623A7D592,SHA256=9DC65C266B78FAECABB54A612015C20DE7FA9F9CB3BC3A061D6E66D671F7F37A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.827{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0DAA0D49970A18FD3EE7C1C9CF63FCE5,SHA256=9AD7E0FC7B49A4306DECA7EAAC716EF0AA70625766DA5F90A5DF4899EDE11849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.746{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CED7C86E887819B1D8E62A84129F69,SHA256=2D13BAF763BA3F5FAA18E9C48DB6A3802E6D01BD72EC4DF123A6D8B9BC76CF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:53.629{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6606F53C374F118C657CD7E246942573,SHA256=ABD2BF8A9E1196760ACDC90CD1A67A9FC0D65207A5E5E2E4AFD79F01EE16086D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.274{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000311602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.274{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.274{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000311600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.073{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.073{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.073{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.073{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.073{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.073{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.073{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.073{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000311580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000311565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000311564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000311559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.057{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.058{F6DB49F2-F7C5-6305-BC05-000000007602}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000311608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:54.874{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3685F9502721B8E79693DB7F1F94616D,SHA256=22487C13D3273B701B038DE2A76716C4E4091D8EADCFEB53F745C8960F7C8751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:54.737{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6205C3B9A994CD28A50DCB70432C9347,SHA256=28C6E8D358C9403E7A8E39DB4BB2D7B32C0646878DA2B4A562A3E8A1B9A599FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:52.252{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55161-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000311606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:54.107{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A42F8D9A30CF4FCE4DDFC4B965B6558,SHA256=9CA14E0541CF9A15DDC072C32273196838B18C0684710DF2D2924CB3DCA94259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:55.864{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28281513D5C9EC24A73AA1962B00AD43,SHA256=C1ACC87F3906FA272A6EA0358CFA36A098A123CF89E7CC56D1E2B11091A9BE76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.988{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.980{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000311716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.974{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.973{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 10341000x8000000000000000311714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.973{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000311713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.973{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.972{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000311711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.970{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000311710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.970{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.970{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.969{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.968{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.967{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000311705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000311690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000311678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000311673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.942{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.943{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000311666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:53.879{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55162-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000311665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.642{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F7059DC4E69EBD9EC3FC07480FBECD68,SHA256=B9FABEC4A3866A3F4F3E51081567620502A973BB92369BACEA94B1AA284FBC36,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.442{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000311663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.442{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.442{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000311661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.289{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.289{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000311652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.273{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000311633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000311629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000311628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000311627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000311626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000311624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000311621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000311616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.258{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.259{F6DB49F2-F7C7-6305-BD05-000000007602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000311609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:55.144{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-164MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:52.510{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61441-false10.0.1.12-8000- 10341000x8000000000000000311776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.532{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.526{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.524{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.515{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.512{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.509{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 354300x8000000000000000311770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:54.436{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55163-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000311769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.505{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.502{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.497{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.493{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.483{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.480{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.479{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.472{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.447{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.446{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.444{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.444{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.443{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.443{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.431{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.421{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.401{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.395{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.388{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000311750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.381{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92E0C10AEAECFFB9DFE0D47630CFC60,SHA256=31150227A40373AEE4DB45682D75B68EB1FE3DFC25BF0F57FE9E7C6F6E57CD63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.380{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.377{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000311747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.376{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E22A158DD38F3E755BD9F826121D688,SHA256=C8194E3D10FD1D576DB899C660F5A49165856DD897BB22DB3759922D886C5940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.374{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000311745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.144{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000311744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.118{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.118{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.114{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.113{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.113{F6DB49F2-F7C7-6305-BE05-000000007602}56123732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.112{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.112{F6DB49F2-F7C7-6305-BE05-000000007602}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000311735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.111{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.109{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.107{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.101{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.099{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.095{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.089{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.087{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.077{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.070{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.065{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.058{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.051{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.041{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.016{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.011{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000311719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.003{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000299950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:57.069{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B99172D01C31681F5E5AAFC3761D06E,SHA256=2D47590AB2F9E0E9FF132C60C8B9813ACDE81CFCB424683E8896BE3CE431A0A6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.613{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000311827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.613{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.613{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000311825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.429{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.429{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.429{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.429{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.429{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.429{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.429{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000311810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000311793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000311789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000311784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.413{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.410{F6DB49F2-F7C9-6305-BF05-000000007602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000311777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:57.409{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7296ACA102E26B3C0419EF81D3C1BA,SHA256=0688D9EE60FDDB2408D4313661739476B901F8B788ABE12FC20CC13504C134CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:58.170{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC06E810C2ACE49FE61BC9FE52FA6660,SHA256=F8C55BE9286F4B255A9FB15C8CD5450C2CFDCAB98F8DC7781173E2EFACD80F53,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.945{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000311938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.945{F6DB49F2-F7CA-6305-C105-000000007602}17085776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.945{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.945{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000311935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.913{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.913{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.913{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.913{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.912{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000311930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.912{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000311929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.776{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000311910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000311896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 10341000x8000000000000000311894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000311889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.761{F6DB49F2-F7CA-6305-C105-000000007602}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000311882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:56.622{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55164-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000311881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.530{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92ED7ACF92D8A6FE504FA9AE7FED42C7,SHA256=DEF4BE2E17874CB78264BA719C9263A028CE9FF81AAC976CBEDA5BE68779A51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.510{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B17BA765E6FCC74F1C774AB302ADFB8,SHA256=9E868A048B3FCF9A5B831CF2DC4819B25DC18FE5B87B512032EC4B7B482DAEA3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.292{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000311878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.292{F6DB49F2-F7CA-6305-C005-000000007602}55282276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.292{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.292{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000311875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.113{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.113{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.113{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.113{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.113{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.113{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.113{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.113{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.108{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.108{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.107{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000311856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000311840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000311835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.092{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.093{F6DB49F2-F7CA-6305-C005-000000007602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000311994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.831{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC80A99D10A2333A045232942D72CE01,SHA256=11117DE879CCC0E55A74148BFB0D8A2FA376748ADA78B438A543ABF4DA53372C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.709{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1650F55985E3C5AF3C6187711923AF29,SHA256=1E8BEE12679C234354D68509766C8FA9C26FD3773F9F4037F618B9966688BEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000311992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.610{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A868B45D89389FFDC4B305BF652AC8,SHA256=9F9037FC8C444D3482D0307EC6D9FB57EBB45F95FE62C2D49C9D5F06D7CAE1F2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.591{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000311990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.591{F6DB49F2-F7CB-6305-C205-000000007602}54561856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.576{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000311988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.576{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000299952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:59.268{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1790AEBC323294D711E5C4093028BF86,SHA256=9F26AF5E1C1FC018C929BA418C507182276771F2E39F12B4BB76B46221456A7E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000311987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.445{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000311986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.445{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000311985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.445{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000311984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.445{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000311983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.445{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000311982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.445{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000311981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.445{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000311980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.445{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000311979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000311978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000311977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000311976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000311975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000311974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000311973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000311972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000311971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000311969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000311968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000311967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000311966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000311965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000311964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000311963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000311962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000311961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000311960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000311959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000311958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000311957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000311956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000311955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000311954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000311953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000311952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000311951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000311950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000311949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000311948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000311947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000311946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000311942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.429{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000311940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:59.430{F6DB49F2-F7CB-6305-C205-000000007602}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000311997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:00.628{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30FB2ADA7689EA611ED3E05CFEAE89F,SHA256=F0B33CB46ACE19096C5C23DBCE9C0947DA37C4034BF374E371A842DAD0E311CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.934{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55166-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000311995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:04:58.917{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55165-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000299954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:00.389{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE708DBD898682D0A65514103CEC2DA3,SHA256=FA62A40802FC4036FA8331DBDDBA9F6A77B6C1631292BF6E949348EFD201CD24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:04:57.632{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61442-false10.0.1.12-8000- 23542300x8000000000000000311998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:01.733{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C781F6C70E21D2102C3A24FC78E4CCF9,SHA256=DFA2B2988A905FBD2FB3B8A1EFAB3C9B08462CDA993CFCFCC5C5FE05AE02F90C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:01.504{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EED989E967C3D8C52F2B9AFEA4136F,SHA256=DFC6743A41F5FEBC743D62E83757AA5A063705A270BF9BDFD8A042F429E736B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:02.835{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29856BF728B7352C682E5FE6FD8A381,SHA256=E2AF4C135FCBBA0464FD7179F2FC3D8771C7D6030ED492E7B8CDEA2E1B725D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:02.620{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54108F685C6DA6723A4733CF2796D9C9,SHA256=8AEC8663A8925D3EC6C3339F1260FEEBD093A3AB8802313BA8D7CCC99694DE1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000311999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:01.105{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55167-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:03.918{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43233B24D4A71FC3E8A1BE0979AE5971,SHA256=BC5D13EB05641BD308F3D690444BBC8C9203A47F6D1592F1C7613A59550DD616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:03.653{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D10C935AA81B412B1DCEDF284FEE2D4,SHA256=2800C7D86038A64220C17F3F31B71B11802A6E97194D63601859550E413BCDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:04.949{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C40B0A81E4E2E42305F93CFC24C5F87,SHA256=8A4FDF6E3D20C4A8B2AE664D1C020EBBF9F1F43C4DD248AEA690EAE5136FDFC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.747{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3549F2D63EB1E82CC08F9F8F3DF68BE6,SHA256=092A21D19AA20589E8EE65054A0779A1DB9C927E687FC9A32BF3A06A2AD9BE7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.676{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.668{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.665{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.663{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.661{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.639{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.631{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.619{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.605{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.598{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.591{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.583{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.574{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.568{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.559{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.552{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.502{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:04.500{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000299983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:05.823{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB0E5803F292883A2B585D2FB4B8001,SHA256=CA6E0FF51F276F5DA7731E611C8F8B690084C96EEE3CF4F6BCA0392C5060E536,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:03.304{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55168-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000299982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:03.623{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61443-false10.0.1.12-8000- 10341000x8000000000000000299981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:05.093{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:05.091{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:05.088{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:05.085{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000299977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:05.083{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 354300x8000000000000000312005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:04.954{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55169-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:06.037{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D94736A293D342C09130C8DE2A9C85,SHA256=70A968A2319E89B78D4F0DEDA8C83FF8BBD62C82CB8E783FA58161E3F059DC03,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000300078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.828{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000300057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000300056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000300053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000300051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000300050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000300047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000300042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.812{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.813{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.779{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-164MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.383{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000300033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.381{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.380{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000300031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.175{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.175{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.175{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.175{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.175{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.175{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.175{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.175{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.170{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.170{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.169{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.167{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.167{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.166{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.166{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.166{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.166{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000299999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000299998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000299997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000299996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000299995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000299994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000299993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000299992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000299991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000299990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.150{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:06.142{D25361F1-F7D2-6305-6305-000000007502}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000312007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:05.575{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55170-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:07.136{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB2E2381A7B1637F92C6BB1CB417773,SHA256=BDC7236BD1E6089224F711C7E20A58FF8F5CD956FF9D8532F2C89D812FD0FBDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.880{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.877{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.875{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.871{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.869{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.866{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.864{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.858{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.832{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.825{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.816{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.800{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.793{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.786{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.782{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.780{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000300157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.780{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.776{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F28D7BFC0C01D46D59F49D5679763F,SHA256=839C04874A6FF613D130DBAD49968C774F0C39C6A5CD16A139AD4B4C75BCD80E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.773{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.665{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.663{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.662{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.660{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.659{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.542{D25361F1-F7D3-6305-6505-000000007502}67245844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.542{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.542{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000300146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.364{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.364{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.364{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.364{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.364{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.364{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.364{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.364{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.364{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000300137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000300122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000300110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000300105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.349{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.344{D25361F1-F7D3-6305-6505-000000007502}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.233{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD449BB4BBF837944AAB11A010BA6814,SHA256=DA09F9B3FF4D514018357A7E195F2BF2363394942E6BA7EA7298C71916C7B81D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.215{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A9387B707AFDD8C21E68F7022CCD1346,SHA256=56CF1942FB6CD592F19C8A33FF67150B173A45FF2E9640FB47F505FF6630F64F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.150{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.146{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.130{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.128{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000300092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.112{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 734700x8000000000000000300091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.044{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000300090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.044{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.044{D25361F1-F7D2-6305-6405-000000007502}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000300088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:07.012{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9236D604BC1C5A7FA4C133F6BFCADFF9,SHA256=23A010E770305F3BFCE76EBA7B87C1A3A581E81CC49A905DF7EC52A89F81A26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:08.269{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3380A45B804085DCACF17CBB26BCFEE7,SHA256=FA4B2B55867B2852A9BE45A9FD7DE614AB4D4A7F8E864BDFD52E391E3968DA3C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.974{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000300278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.973{D25361F1-F7D4-6305-6705-000000007502}63606316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.950{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.950{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000300275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.841{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B48275D6426B5729FB3D47D521AD37,SHA256=25C6178DCFD64BA9C649E18ED5E59DAEA71EE4CE0E9666346D5D91FA472D42DE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.710{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.710{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.710{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.710{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.708{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.708{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.708{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.707{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000300239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000300238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000300233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.689{D25361F1-F7D4-6305-6705-000000007502}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000300226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.207{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000300225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.207{D25361F1-F7D4-6305-6605-000000007502}48247136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.206{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.206{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000300222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.106{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6959C3357E6588937BF0E180100F8009,SHA256=DBA012C0228424F4EC86BA9846DA8E002FC94571C5A27C68BC5FB913AF73C399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.058{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE06595F4C42A5BA43B7E5831B0FF92,SHA256=FBAF8ED1DCA1404F376A124EAA9B390ABAA788C977C5189A35B0E963C1AC1F16,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.042{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.042{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.042{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.042{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.042{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.042{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.042{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.042{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000300185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000300180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:08.027{D25361F1-F7D4-6305-6605-000000007502}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000312010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:07.863{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55171-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:09.384{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBED8722D0D2D692CBC9A11B83F78435,SHA256=49EB8F35A220B20442E1F1F4E835FD57FD874EF4459B2AA55C5C173976BDA250,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.553{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000300330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.553{D25361F1-F7D5-6305-6805-000000007502}68686748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.553{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.553{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000300327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.437{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205A6528ABFB64B2DC37FAD98FDC5DE0,SHA256=0439867EBF2123F4BF90502F2865B0E1F9A32ECC86F303974F2034B93B82BCC9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.390{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.390{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.390{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.390{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.390{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.390{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.389{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.388{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000300291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000300286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.368{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.369{D25361F1-F7D5-6305-6805-000000007502}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:10.905{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACC5507DD353AD18F7A2150B086F37C,SHA256=C6AF46493C4B2716459F70A3357F22FFFA807209126C2A9ED1FBB2E239FEFE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:10.436{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A669C6600E98C1C69E7F258CF7F22856,SHA256=5B2D4CA9095C40CF876CE310E0EF65703A5B057B76E6BDE098FB2E2E81DFFF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:11.537{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE1D337D78C76E39170B92FB3206F3F,SHA256=291799026A5490019E39E1EE94122004E2DAAC2A17EEA3FE734B30DC12936811,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.851{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000300385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.851{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.851{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000300383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.636{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.636{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.636{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.636{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.636{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.636{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.636{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000300368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000300351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.620{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000300347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000300342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:11.605{D25361F1-F7D7-6305-6905-000000007502}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.549{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61445-false10.0.1.12-8000- 354300x8000000000000000300334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.102{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61444-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000300333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:09.102{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61444-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000300388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:12.735{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA7FBB55207A47E541E113264941232F,SHA256=AF406F7739F161B71B63D059EBD42CCFC8D4097DD4679DB9FDD8A44E40F3C97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:12.520{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE5E628EA2E784631B7506BDFDDADFD,SHA256=D35741A64DF13737245AF63428D0FD705025B1B6F5EA471CFA83B1F6047A4DE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:10.163{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55172-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:12.637{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7699ACF0DEABD4B5DFF0971C3799358,SHA256=48520B8F2A83C0AF112506A826055F8A48BCA78843E01CAE15633D609E29A611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:13.585{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556E6E3EBCC74EA8C1FD7D05EFDCDDFF,SHA256=988476A246F8076297FEBB68721DF62EFD5AA69015AE7295342402E23C6FE8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:13.751{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F974FD495D0DAF548A7BF959B47C8C51,SHA256=5FC33DCC936D82AAFB35DE943524F271AD571E6D4DB2E0876CFD86D45E337BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:10.941{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55173-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:14.866{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2482DD6AFF1CDCA46792EB563D526D,SHA256=F7B8D41B118E03CBF8E4B28148A183D495CE9E926717B2D53AA6BC0CBFEC80B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:14.703{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3CDCC9245940DECC225587F9515C54,SHA256=87769ED53DFF4AC62D4DCCC937532B1C2BDE28E934C3A7B9B2AEB8E1F9EC3CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:15.734{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79ECFA6E042CE54CFB76346DA6D1C72,SHA256=ABD32300B1CEB6C0F04144374E2B0397B46AB90EB2EC7C587D625E96C3F1CE6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:15.998{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:15.990{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:15.974{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:15.963{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:15.961{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 354300x8000000000000000312018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:12.446{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55174-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000300392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:16.818{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35276A02CE6987CCB97BFCA260DC23DE,SHA256=25D5141E5927F399E9254FA83D58617087200569250D60FDA3ECFF0C970E619E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.534{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703CD2BA96F9142479F73EEADC11B111,SHA256=4312040439F285BDA2E8C89A2BFF32468157E424160BF9914BBA8937FBDB506C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.365{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.365{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.361{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.356{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.352{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.349{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.346{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.343{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.341{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.337{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.334{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.329{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.327{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.315{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.295{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.291{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.289{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.289{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.288{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.287{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.275{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.258{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.219{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.211{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.200{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.189{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.186{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.182{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.179{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.169{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.168{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.165{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.164{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.161{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.157{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.153{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.146{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.139{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.129{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.126{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.114{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.102{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.094{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.087{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.079{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.063{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.015{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000312025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.006{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 23542300x8000000000000000312024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:15.999{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87443A89A8CEDFF5717938FB58C56666,SHA256=EEC41D72619232D00574B61B1CDC5165ADCFCA0543C0DEDA41E9E3D35F8C68F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:17.918{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1BE8D8D8C6839D429B848B7DCEFED7,SHA256=62526F1FDD49976D4ED9E437E4A49F009F9ED8E7731E6690514F11392C95A1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:14.726{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55175-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:17.064{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A2CA045B8B32BF096F37107D892001,SHA256=02D40060DB91C4686C773D1440A9FEFD19EBAE80E5127B5BE4854F03D6ECFCA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:15.568{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61446-false10.0.1.12-8000- 354300x8000000000000000312080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.923{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55177-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000312079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:16.921{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55176-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:18.068{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA0A770D68224BB8700EF47AB77D9C9,SHA256=F6BC2C6AC3094DE9D6A9E745ED906C4D1CA993270221B291EA1A34E56AAD9E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:19.166{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542E1C7187ABFC3CFA9012DE6E654BA1,SHA256=80CE20E7C39941B8E53B0595F6D1764108B45860FB19EBB63AE0248C72C0FDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:19.033{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDF725250907BD91CA85DA9ACE86E9D,SHA256=FCC5488110D8C396EF0974C2C52ED8B8E880CE7CE0DAD860FE26077E5427B0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:20.297{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBDDF618A4CE1C19F044F061B5B7ECF,SHA256=765AFCAFBA45111B7641458F1CCCA0FB76243A5EF40677E972D81B20728059D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:20.501{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:20.164{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EF164FE2517A451D0FF0ED7AEAE952,SHA256=994903A1AA8B3530F95511FE6E10F2853BA5CA38A86B199414B6E7AD4E48763B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:21.397{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1529697DC2DAB2F9E6BB090D748F39E8,SHA256=060C4F2911EB6EF886BAACEE94C7609380E00A6B19C131D7D38E0C5BBD5343CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:21.200{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB3834DBF892052A757B12CCEDF8C8E,SHA256=72FEAFDB7CD3EC033D16EF29999C9692D18EFB00DC88953CEB0104CBC006691A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:19.206{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55178-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000312086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:21.391{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55179-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:22.516{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7629FD60D14F2CB305B0E48F10ADA2,SHA256=142F7C99E365F597071651A1D158D8F7266A732940901A9BAED567F7E4B5A01E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:19.945{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61447-false10.0.1.12-8089- 23542300x8000000000000000300399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:22.316{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D2B1F66534A258A0A496AA8E6F36E1,SHA256=36393421048D8AC63D526807B94E67C5FD772C6D3D20C596900C2556456131B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:23.549{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9BBE3CCE0E44528680AF8DF41206A6,SHA256=5F3A47E1CE5004AC2305E827EF200DED6BD964FC9B6A8F27FBCEA4AE236D6F4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:21.597{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61448-false10.0.1.12-8000- 23542300x8000000000000000300401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:23.462{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFAFCF14343CBAAA71EA4CEDD3E9E41,SHA256=3910A571E3F0E54358D449D926D965399ED8FB08A59D86B08135E9DD4F57FDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:22.870{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55180-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:24.580{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E65D085859E59FD490F2EC6CD41467,SHA256=5A1FE7B742637874A4403640BBF50722490CE4CAE546640CE0733CADF0F7C522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.698{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.688{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.682{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.679{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.677{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.652{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.644{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.626{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.621{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.615{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.607{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.595{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000300409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.585{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65F238A9DF2DE4DAFA24496838D6E92,SHA256=B1A453F822ECF571FACE97A7863BBD69EC3E17959A9B8043DA68D7E64332B9D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.578{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.570{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.561{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.554{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.498{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:24.482{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000312091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:25.819{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=99AF58095A9992D3B5CD96DF0B1A08DC,SHA256=EA2E89ED2F4DD3137D5D377CDE988B4386C71309805D932094C2BF7D0D0D6BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:25.685{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094D695B589FE71558A8626333CB1A9F,SHA256=F4EFA25804BCB551BC9E5B446D2F6B4F375E72D15237D499A14A94AA6AAC8C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:25.531{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6572B11436F3DBAF2FFFA188D4F4C159,SHA256=76D66D44226E998B82F7967676727E2415F13434F7EADBC968F3E2366AEF2BD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:25.115{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:25.113{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:25.110{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:25.107{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:25.105{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 354300x8000000000000000312093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:23.674{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55181-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:26.800{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F0598831F5B7E1241217724576CF96,SHA256=19940257B20C2B006AE46BF3398257A793DF118323FAA95C6B1D92F10C3E8D5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.784{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.784{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.784{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.778{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000300434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.776{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000300433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.775{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000300432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.773{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000300431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000300430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000300429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.770{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:26.648{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9862DE6F6E20F87045B9110B84DD1CA,SHA256=03F4735FDC6454BDFD7D5E02CFC56878AFFA3FB50F0F762BF47E989644923A11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:25.957{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55182-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:27.900{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EDE92D323F1ADFF8C0FC40517CCF96,SHA256=07C3A612F652EAA29D8794665020AC623C0700A33CD713A4E03FDA1B1664F1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.849{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7921885909F636810D05D72B383B6971,SHA256=146C8C637825D62BBEB1416C572064D758A3096CFDB0932F0B07DBE77E8D43A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.816{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.813{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.810{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.806{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.802{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.799{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.797{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.785{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.764{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.753{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.741{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.722{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.715{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.702{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.696{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.692{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.689{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.686{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.683{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.682{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.680{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.679{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.170{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.169{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.157{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.156{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.150{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000300467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:28.863{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06A0BC106313FAFF31BCB5BCCB173CF,SHA256=CA613920B383270AB33AFB73CB44FC329D974479DE141062397E9CF5471F75C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:29.979{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB3EBABE8B65359E36FB329E9A4A190,SHA256=1C15053F0284C62196C63353752DF21DA50152B45F6AAD6F43F6E48ACD69100E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:27.497{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61449-false10.0.1.12-8000- 23542300x8000000000000000312096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:28.999{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099D1476109D8824A1AF09BBFC0D646F,SHA256=E4B65A958A1547DB0B0D9CDF499A68EF96F90A661C291781E08F9A9ED8AD4CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:30.980{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FBBEA1A94A3520F67675800E6236E3,SHA256=A9FB07EAAB54B696A3522B993E992EE547778AF26EF9BAA2D9B185AC40031590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:30.036{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E94A8795ECC0500BA14A377E22E7D73,SHA256=ABD6C36C0B7916742B84184599CDBBAA9B2810DC52157F08B6967297373EF27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:31.066{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19018B4D227B9AAA7F76F711A9214A7,SHA256=30BB07D1BD440B855801EB330A460793BEBE156C97A2E13FF11C173A91E246CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:28.888{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55184-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000312098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:28.262{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55183-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000300471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:32.078{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1030A53C6FEA44C2E4AC701265A528,SHA256=47A14103DA970EBDE5ADB31793768F8439FD84FC765587374D393BA5B907042A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:32.097{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F177AE4352071CA3C3FBC4046CC9C4B,SHA256=B134E7D52DAC6234154E2EAE05CC3873A0F87220DDA7C0937035BCA0CAFB24B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:33.128{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8B016DD8919184AD0B0D7579565FB2,SHA256=973447C49918C229D829EC45DDE28025D7D782E8660E86EC0462EC8CAC6AD77A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:30.545{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55185-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:33.114{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DFDEB845595BAB582235F80B327C55,SHA256=9A884C7BA4EA0AA222DB247ACC838E40A2647A1337EEC823627C729CCA5EE621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:34.158{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EB0383AF4B8AE6C384D63E73AD96C7,SHA256=E4857889C2D83A97A081F6C1628C769B00FA7F26D254E51D84ADC65CB8546688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:34.180{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0731C4A680F6393C176D55732864ADB1,SHA256=8272A3116E4065B60D05845B9B9BDB61DF599FCCA9E30CADFCE3758E8F64A647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:35.275{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCAE75F7BC3E7B475D638AD1373555E,SHA256=09D31EDFE9B4DF2E1D835C8701F694CEE6561FE52F308B2AE138274CAAB26DC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:35.998{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:35.988{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:35.976{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:35.969{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:35.965{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:35.963{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000312106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:35.313{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E9E118890AFC0A7D156665482742A6,SHA256=E5FFE4024E023DC282E8EE13245BAF99B1E29E4EC585985ED6F8A141F4997892,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:32.541{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61450-false10.0.1.12-8000- 354300x8000000000000000312105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:32.743{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55186-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000312164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:34.957{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55188-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000312163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:34.921{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55187-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.533{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FC2E30DF5954F1AF6E2DD9F3BA237D,SHA256=F643FCB3CF5E4C257EBCD4E7C26285CC931C95CE9BAC43560A520B622B0E1667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:36.394{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB59BB72BEC89A9E5BFFDBD710E2E94B,SHA256=1C2181E7B1C64104EE9C0D61162703109DDC384BD1D07B84D6E8DD7D45B65313,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.266{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.265{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.264{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.258{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.255{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.252{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.249{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.247{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.244{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.241{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.238{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.235{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.233{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.224{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.209{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.207{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.206{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.206{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.205{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.204{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.193{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.180{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.154{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.132{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.126{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.125{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.122{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.116{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.116{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.113{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.112{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.111{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.109{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.103{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.099{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.093{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.091{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.087{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.081{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.079{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.068{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.057{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.051{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.045{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.038{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.028{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000312113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:36.004{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000312165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:37.713{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863F4E7BB564EA74188E7E97A98D5D1F,SHA256=063734C685A7D6C2EC450EDBC69422304F3B24C4F47DD07A8223E2D96572DD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:37.540{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2251FA7595F5A910C05369A0DDE5CE16,SHA256=F0B060E77299DF7860B4C0C7C1675D1CC4D0DBA900C826A42CD458B46CF881F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:37.493{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5866613D8F2161816ED3FA08F2FF84,SHA256=0C17299284F83566410FC2EE1A595C59DA467779FE3B64E9E4C691D61D0B91B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.799{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593C81B2205DD70817892871706BF0E3,SHA256=56BC3EA26F4DB9AEE712DEFCDCD44641DA9E2AD52D951105D9F4901122308BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:38.509{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1E14C7954FEE27B5BDF84532F1A035,SHA256=8E6F772058F57C93CB52264DB24269BE013A04756AF322F1161F80574535A343,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.326{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.326{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.326{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.319{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000312171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.319{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000312170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.318{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000312169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000312168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.315{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000312167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.315{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000312166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:38.313{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000312177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:39.916{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636E0CE315C405D226BD4D8F4A48F025,SHA256=DA6595C00FE8E2C56EA2B3CDE9669CFCAC20187EC89F11C4316619A4C89BBDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:39.640{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB5D31D32FF217886CA5CD117CD84BF,SHA256=E793BCA4B5AFFAD103E7656A12555D50808138BB983368130975B83FF5B88E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:40.754{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B12C40AD6201083531C79895E8833D,SHA256=1728F2CB48BF8E44096723FE9922302B6376B774B96CE837B6FD6B5200649BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:37.142{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55189-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000300483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:40.208{D25361F1-D01B-6305-1600-000000007502}12887028C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:40.208{D25361F1-D01B-6305-1600-000000007502}12887028C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:40.208{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 23542300x8000000000000000300487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:41.872{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A62CFABFED2AA40E7EEB0B88046AC8F,SHA256=08D2061D07FF1FA97585D4B3C19F7F5432912BA80FD502202277B66280F014C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:41.052{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8F9FE54C4552D7F1AFFB62BA3402A3,SHA256=CE6DF5CE69F832A33E5536A6D14C67097FA3298EE8F2D3272C6BCD3771703C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:41.439{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=96BE5FD79D730028C481DBA0DE2ACF8F,SHA256=4520EFD6FD09305A0044158B0B63D68D3F684B0E0CDBAF1E763316BA2C1FF3F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:37.721{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61451-false10.0.1.12-8000- 23542300x8000000000000000300489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:42.972{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE37A3B5D6817E9A499F9B715D1B3533,SHA256=38DC90686269FD03C39989852B0BAD0F450F6CBA655DB4DACCAD93A1F6531A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:42.782{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BD73E9A57708E5142D8A47D179FEC5D2,SHA256=B5083F5E7F80F0A03A0A5E5250191D47DC74389025A8DA4B6B8E4F587CF7F921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:42.166{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CC91685786609BA602B71F48D12834,SHA256=0F36E973E313226996AC0A15E0CE1DF27B59BECA72D49C92A4134CE971B01C7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:40.040{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55191-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000312180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:39.425{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55190-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000300488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:42.191{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CBCCB5F2ED9A10DE4F6EADE95CE431FD,SHA256=1EB4532FC577D97FDA2AAF4F958DCD25ADE1B6219D2BA8EE71B2F8D7334836F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:43.197{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4ECD034859BA9368CEAE1DD3C781FE,SHA256=ED3E761520175C9B78E9499BE0AC98934CFBEFC20A09C1492D58B0E8F64409E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:44.234{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B4A924C5E13603E5574D687DE59232,SHA256=042D7DA0A28AA0FDDC97914670914F5ABF4E07B433874E82C46E7B809BA4C275,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:41.707{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55192-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000300508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.742{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.735{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.728{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.726{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.724{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.682{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.674{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.658{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.648{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.630{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.613{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.597{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.579{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.569{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.554{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.545{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.495{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.485{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000300490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:44.090{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88B2E44878599CF4FBAEAEA70798EBD,SHA256=0346F799CE3ADB0EF0A4226A87142EDC2CA44647D5863B70D41DFB244898C0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:44.117{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:45.395{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56300635058F1AD78666CE8953302DC,SHA256=7AC4A9A0C8E5AD1B1C88BA4B2A6DE5DCB7A09CA5088BE2A4509AC44F2DEE6BF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:45.199{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:45.197{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:45.194{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:45.191{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:45.189{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000300509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:45.135{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A899C12B4C9509B4F439528ADEEEE0C7,SHA256=5665C2BCF5A0D14D5544C934F4E30A12EBA163B4182E7DFBF2B9E1480D556524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:46.512{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC31041EFC49268933A97B0FC80E9E7,SHA256=09CBE9AA08157A75C2C9D991B6B5B2AA7F967C00D44FFF162B22021D6B454049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:46.224{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5FAB76269CF6D6E75F59EC8A065659,SHA256=105138F61329C1DFAFAB6EEDD8F5BA96003035E4877987CA19766032DFF30FFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:43.517{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61452-false10.0.1.12-8000- 354300x8000000000000000312189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:43.885{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55193-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000312192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:47.613{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8116449F7EA88266CC40670F84D418CA,SHA256=ABC9C7B37E949E3E56BF99CCF60DBA8E05BAC994631DA721654357E96C8C771D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.942{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.937{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.933{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.929{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.926{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.917{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.914{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.905{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.874{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.863{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.842{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.816{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.807{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.797{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.789{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.787{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.784{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.781{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.779{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.778{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.775{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.774{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000300522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.323{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A49B09F3AF63361799597874BBC60B,SHA256=FB04C25B7D74397207FEA9881229CEEF6F8852F219F97B10DE748945604E1001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.270{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.269{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.260{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.258{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000300517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:47.252{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 354300x8000000000000000312191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:43.990{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55194-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:48.730{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13D9924E07F449797AD26C3C36E9C7F,SHA256=0B1403F322A20552885ABD76BA4D123BFEDD32A7CF8D8D8725F8426D04178441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:48.352{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4D47ECA7D1D5F722F0BF45922691D8,SHA256=B0D71654FF8F96AB2D23F2D0CE20AF63346A228536CD2497D32EB70775F7BFF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:46.272{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55196-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000312193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:45.936{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55195-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:49.830{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1FC8027219085A92F5DF3F448F92DE,SHA256=2E088C9705A3191ABE39271B543D79DBFEF2BA875DF7CBD078E2395FD24F9153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:49.436{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F36C85E66381D1FC84EC25A39DC0033,SHA256=FA2A763F36E443AAA7EF59D38AADC579FBDEBD28D695BA899047E71BC22454D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:50.637{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3319B59D5A16764F6F1BFC54CAC8957F,SHA256=679BB6509F1BE708123551F5A635A44FE98A6ACCCED92E0FA516358616E1F646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:50.960{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A902A5CE1048A4A513EE2010117C495D,SHA256=4ED9FEE2D39063A4FDE1993521EA04FE4693F8A713E23FDC650DBB88942ECAD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:48.455{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55197-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000300549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:51.689{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D41AE94B2CB332FD7E14EFB1CB0188,SHA256=0AFB9BE25060BA3672DDB2D78A1D532AE7D7DFE7B329DF11DBB04E3C91CE8419,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:48.654{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61453-false10.0.1.12-8000- 10341000x8000000000000000300551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:52.904{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-CFFE-6305-0100-000000007502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000300550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:52.819{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C061B76917437A302E2F2B4991EFC18D,SHA256=76C85B3F64248F44AC15CDE6940C2CC39272061F63100158B5E44086D7D0E807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:50.753{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55198-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:52.045{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57033BC906B750175A680A2688D179D,SHA256=0EABD6C66794AECCB18E34D623D7A69CD3320FD4E216A53A6740713A06216FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:53.950{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=676699956DB6AED221F26FF7DB20ED08,SHA256=3688F462D61AB6513223BE87011B13B587FB424C48308390E7BB47540C4C554A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:53.934{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4A62E2599668EB48FCDAE7D9A0B2E7,SHA256=1DCF67F4AB761E4E32B841A78920347F7222C92011C8D7F777644FE9E2FBCB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.813{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31CFB318177FA9FD2A5B019DBF8A47F2,SHA256=76C3E001F6B87D85CFCC044E8ED8B7A5FA5FD776D86B43535557D360C33CD2F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:51.849{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55199-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000312252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.260{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000312251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.260{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000312250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.260{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000312249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.176{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E823F3C35CDA1DDDB37C0221E4C38703,SHA256=7371BF8C206E0B1BF3418CBB946AFF3BE7CFD4B0B5BFB1F322A746657D737F85,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000312248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.091{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000312247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.091{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000312246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.091{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000312245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.091{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000312244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.091{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000312243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.091{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000312242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.091{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000312241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.091{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000312240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000312239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000312238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000312237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000312236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000312235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000312234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000312233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000312231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000312230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000312229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000312227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000312226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000312225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000312224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000312223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000312222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000312221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000312220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000312219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000312218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000312217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000312216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000312215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000312214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000312213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000312212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000312207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.076{F6DB49F2-F801-6305-C305-000000007602}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:52.372{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61454-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000300554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:52.372{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61454-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000312257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:53.061{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55200-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:54.176{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CAB1E0BD9AC79848D8F98D86405D48,SHA256=F3EE1CE61ECC6B676F8795989F2331686B59727BBEF81E8AB97AEF9F2CCB8260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:54.130{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=758E0033478A7AE7F238B51710695E8C,SHA256=29AF51DC6E9210B68105AF96C93CCAF9F866EFB6D1529D11B813AB86004106C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:55.034{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FB65BD31C1775F26881A2C472CDA50,SHA256=B2024F3F147674E4B1E0AF6661F4FFE495449B168E9F16A6CDB6EC6DA6523857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.994{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.984{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000312363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.977{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000312362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.977{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000312361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.977{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000312360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.976{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000312359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.975{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000312358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.975{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000312357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.974{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000312356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.973{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000312355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.973{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000312354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.971{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000312353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.964{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000312352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.963{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000312351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.963{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000312350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.963{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000312349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.962{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000312348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.962{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000312347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.962{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000312346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.962{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000312345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.962{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000312344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.961{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000312343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.961{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000312342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.961{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.961{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000312340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.961{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000312339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.961{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000312338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000312336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000312335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000312334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000312333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000312332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000312331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000312330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000312329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000312328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000312327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000312326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000312325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000312324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000312323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000312322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000312321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000312316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.945{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.946{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000312309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.445{F6DB49F2-F803-6305-C405-000000007602}14044340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.445{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000312307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.445{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000312306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.276{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000312305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.276{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000312304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.276{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000312303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.276{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000312302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.276{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000312301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.276{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000312300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.276{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000312299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.276{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000312298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.276{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000312297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000312296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000312295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000312294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000312293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000312292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000312291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000312290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000312289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000312288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000312287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000312286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000312285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000312284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000312283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000312282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000312281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000312280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000312279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000312278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000312277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000312276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000312275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000312274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000312273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000312270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000312265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.261{F6DB49F2-F803-6305-C405-000000007602}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000312258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.176{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69474B92DFCDCFE599D7EE49C1B769A,SHA256=6B8EDD9530F7E6EB6BAC61A75D3AF15BD9FCF99672F181294C60251515A2B2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.665{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-165MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.558{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.557{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.556{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.552{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.548{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.546{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.544{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.541{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.538{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.535{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.530{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.525{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.521{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.510{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.484{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.482{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.480{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.480{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.478{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.477{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.465{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.454{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.435{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.427{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.419{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000312397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.417{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA60D7F384408A1101638BA92344756,SHA256=351D5872152D888F09CEFE1361ED81075FC5EB1765FAD51390E1B6AB83CCB534,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.414{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.412{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000312394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.411{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8425E96EB8052A10FD1E62A58B9B00,SHA256=AB4F11605CF75954FB3D8F18919B36A9B29F0C84C70E8F989F7CB9B6D0AF48B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.409{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 354300x8000000000000000300558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:54.584{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61455-false10.0.1.12-8000- 23542300x8000000000000000300557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:56.121{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C84C456885AE7A3D14EB914BCB7C2B,SHA256=DD219F710F632A59827D4CC691B553D38ACDAE58867795B585F1674409F03752,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000312392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.143{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000312391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.142{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000312390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.141{F6DB49F2-F803-6305-C505-000000007602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000312389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.135{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.133{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.131{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.129{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.128{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.127{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.125{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.120{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.113{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.109{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.104{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.102{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000312375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.096{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D40FE352F29CE8B2166B8D88E77992A4,SHA256=87FE25645C50FEC151E2E36D07771F9C17960E3329DE8A6E478A4253981F0F84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.092{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.084{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.079{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.072{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.065{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.055{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.028{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.021{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.011{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000312520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.993{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 23542300x8000000000000000300559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:57.234{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D8A068A99DD483B5DEACC55F5E9E9C,SHA256=E5CB0A28CE6073B8EEE42FC5BC5084782A2451C84BC8AFAD596602197CF47201,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000312519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.993{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000312518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.993{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000312517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.993{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000312516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000312515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000312514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000312513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000312512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000312511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000312510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000312509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000312508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000312505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000312504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000312503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000312502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000312501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000312500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000312499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000312498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000312497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000312496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000312495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000312494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000312493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000312492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000312491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000312490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000312489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000312484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.980{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000312477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.977{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEFD7C7EF5E20409972F90644831AB7,SHA256=9FF7F8FE7B2A3272BBF8CA5EACF1C8043C03E33139C4A20410ACD67E13E71EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.678{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000312475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.577{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000312474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.577{F6DB49F2-F805-6305-C605-000000007602}33881888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.577{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000312472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.577{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000312471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.446{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000312470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.446{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000312469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.446{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000312468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.446{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000312467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.446{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000312466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.446{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000312465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.446{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000312464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.446{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000312463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000312462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000312461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000312460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000312459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000312458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000312457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000312456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000312454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000312453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000312452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000312450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000312449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000312448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000312447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000312446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000312445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000312444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000312443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000312442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000312441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000312440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000312439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000312438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000312437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000312436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000312431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.430{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.431{F6DB49F2-F805-6305-C605-000000007602}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000312424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:55.254{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55201-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000312582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.862{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000312581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.861{F6DB49F2-F806-6305-C805-000000007602}54085720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.861{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000312579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.860{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000312578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.676{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000312577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.676{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000312576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.676{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000312575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.676{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000312574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.676{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000312573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.676{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000312572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.676{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000312571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.676{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000312570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000312569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000312568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000312567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000312566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000312565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000312564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000312563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000312562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000312559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000312558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000312557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000312556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000312555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000312554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000312553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000312552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000312551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000312550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000312549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000312548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000312547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000312546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000312545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000312544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000312543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000312538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.661{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.662{F6DB49F2-F806-6305-C805-000000007602}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000312531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.545{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9366EE81576DC226BF2E93F24F5F89,SHA256=9D8E5675C8563DB80D584D9C0A0B2F3197AAE38CD88E4CB6A9BA229204058537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:58.267{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE6D9BDDF26EB5F3D5FE8B7861F5E0B,SHA256=42BF11F1800E9ACF2EA1DA40319BAC12794EFB6B214DE36DB7C18B63ED349288,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000312530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.161{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000312529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.161{F6DB49F2-F805-6305-C705-000000007602}46243308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.145{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000312527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.145{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000312526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:58.112{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681FE9DBF49A4F37A61304D8B32BED05,SHA256=6684E70E67B7FA822C8C61D5F93176FF28A267E174723B3F3F6C9721F58338D6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000312525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.993{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000312524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.993{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000312523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.993{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000312522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.993{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000312521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.993{F6DB49F2-F805-6305-C705-000000007602}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 23542300x8000000000000000312638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.809{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15768ED447CF226CFCC742B142083F85,SHA256=826FF1E7CF7E73A4557F31A9D019D2A55785D94A3C633A1C35A590A5414D85FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.792{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201EB89323A713F075AE9A4C651670AB,SHA256=F3A7A7D50B4675D225689889DC673271F1DD18972ED69D837F4FFE0CFFE873FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.792{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEE0768FA09A65F5BBAFC0D401B09BCA,SHA256=79C4E1E607C8664E626ADEAF4BAAE14BAE4AB94071BABF18CEE3BF5E311611DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:05:59.287{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B9B82156B23C5AA18D42BAB714EAE3,SHA256=A5982D23BD4DDB7B5AB7044493CDC5B76CB6574ACA1B39295256D9EC9D493236,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000312635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.532{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000312634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.532{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000312633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.532{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000312632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:57.539{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55203-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000312631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:56.997{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55202-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000312630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000312629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000312628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000312627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000312626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000312625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000312624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000312623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000312622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000312621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000312620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000312619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000312618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000312617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000312616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000312615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000312614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000312613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000312612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000312611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000312610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000312609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000312608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000312607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000312606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000312605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000312604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.360{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000312603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000312602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000312601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000312600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000312599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000312598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000312597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000312594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000312589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.345{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.346{F6DB49F2-F807-6305-C905-000000007602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:00.367{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F51B3042D92A53F3D2E953497B221A2,SHA256=1284261F4FA18C51F8C40960BDA7DD3ED59EC56C3314ECC89C2BEBCD34A64707,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:00.345{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:01.467{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E67908D9B521CB719ADCA7A22470FC,SHA256=0682042A27EF25E2FD321B55A91628543DF255400B4991E46C3269EAD44A535F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:05:59.739{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55204-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:01.391{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5770A812050E41BB4D3FADAC0D2783E,SHA256=B5371103845D4D084EB1B9DC5ACD5FDCC8AD1023EA3A8E982ED977C0C33A13A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:00.551{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61456-false10.0.1.12-8000- 23542300x8000000000000000300564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:02.566{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5520503797C7BF1758464E307BAF87,SHA256=F1716E75F70FED3743C8D88F8C8CC33D1748DA8C27645D80DC1D150BF3EE6B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:02.476{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13402F958E0EE723A753E6FF8029CF38,SHA256=271107E3EC7DADF8D3182368B6401205D4D13A56C19E802270014AFDE3226092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:03.648{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A07FAC592D96702EB347550BA2A222E,SHA256=A4674F41E878E7E721B35D55DAB9EF1D890D6F45E0B27AC0B7BAFF57158D2893,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:02.038{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55205-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:03.583{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C3F1DCB4A05BC2D885E7FBC378D39F,SHA256=C8B5E9B5775C8FD3CA382391D29EDDB61AF4D9753BFC60FDF1D2CE42623F3332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.827{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BEA937CD2A643AB2BAB97AE93A07DC,SHA256=F4BE640646564614449453026C869145EF95E4201B20F40CB81E24C12EB4955D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.771{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0779CCCB8E1B78B0D4E0DD200D76B9C,SHA256=44001A7C99AB83E7CBAD4F52EB1B54CCCADBB2AE83B1ADEA8E68024436A0F45E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:02.981{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55206-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:04.613{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F454691E057E3665959B4B6C2E4B84C5,SHA256=50892EF1FBE85F3BFBE3001B80B4CB52E82D5583510E65975494D44A9AD79CF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.691{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.684{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.681{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.679{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.676{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.651{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.645{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.634{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.626{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.618{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.608{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.599{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.586{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.576{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.560{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.548{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.488{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:04.484{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000300592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:05.906{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A391D2F6A7ADB0906C21084F6A5C5A60,SHA256=3D268B6011B9870A4773176C47D53A6DB7177F0468A768B5873C639FB7DDEC29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:05.748{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F290D3A054031233B8705EF0B1977DC,SHA256=2FD7FE65231D60F8E0FE827577532B259973DE30F4C41C31614158ABD08D3961,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:04.241{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55207-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000300591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:05.090{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:05.088{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:05.085{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:05.081{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:05.079{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000312676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:06.814{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B237C06267F47479C25A771A029368,SHA256=D64C7E1E9D06E7BACEFC203939359663B87253E7ABD9ACD253D8D80CA777B7AF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.869{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000300693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.867{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.866{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000300691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.701{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.701{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.701{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.701{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.701{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.701{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.701{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.701{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000300656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000300655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000300650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.686{D25361F1-F80E-6305-6B05-000000007502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.202{D25361F1-F80E-6305-6A05-000000007502}19325924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.202{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.202{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000300640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000300631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.033{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000300616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000300604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000300599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.017{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:06.018{D25361F1-F80E-6305-6A05-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000312677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:07.933{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C91D881FF918B0310BBDA96287CE0C6,SHA256=92EA9F4E455CE6D6CF687C4F586722FA7F464CD7F81B43A822C12104A8AB9E41,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.996{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.996{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.996{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.996{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.996{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.996{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.996{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.995{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.995{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.995{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.995{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.995{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.995{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.995{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.995{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.994{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.994{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.994{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000300793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000300788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.986{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.987{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.772{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.769{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.766{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.764{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.761{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.759{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.756{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.750{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.731{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.725{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000300771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.719{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F8C4D6A876C2B5B93C7B0D6C7769F117,SHA256=DE43CF2FEC83ECEFB8C55BB4FB8DFD8C972CB9E130AE000C5F8635AECE6FEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.716{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.701{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.696{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.689{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.684{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.683{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.680{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.678{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.675{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.674{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.666{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.665{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000300758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.633{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692C4202F7AA2D8501D941C7682720CE,SHA256=15BAE1644868537F60A429545D3E654307407C17FA3A952FE6DFDD539E2E5A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:05.683{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61457-false10.0.1.12-8000- 734700x8000000000000000300756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.486{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000300755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.486{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.486{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000300753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000300744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.318{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000300725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000300720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000300719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000300717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000300716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000300713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000300708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.305{D25361F1-F80F-6305-6C05-000000007502}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.303{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115BA895F5393A30D6EFB8CBF8755C88,SHA256=A058A899D258096F1EE69023C8E5D3C89112C7CA003C48CB8CAF243EEA9C5F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.151{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.150{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.140{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000300697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.139{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000300696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.135{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E04C90581F953FF66C9CBC573787E6,SHA256=186D1E676C695BBC16CE6766C9485D2279A704ABCD2DF011B4CCE9F9AF99A280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.133{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000312679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:08.963{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA2E1A10FE30DA2113A445462F760E2,SHA256=7F4B8F70E3D0B5E69FCD60494ECAC2B0B9FE47245E6074147CCC3B2934084253,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.832{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000300920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.832{D25361F1-F810-6305-6E05-000000007502}68927120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.816{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.816{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000300917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000312678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:06.442{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55208-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000300894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.801{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.685{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.685{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.685{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.685{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000300857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000300853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000300848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.669{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.668{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.664{D25361F1-F810-6305-6E05-000000007502}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.289{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-165MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.248{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9430325961FCA16802F1CF8EF2485D14,SHA256=1C56524FE6D1F22D37E9D8E8701FB471D0E8BEE11245ADDEAF540140065ED031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.186{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B8681B68A750E62071530B4B830400,SHA256=9D457D575B99293FB1EF071CC2CA4D5D90A78EF24F41627835CFA88B2BE496F8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.167{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000300837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.166{D25361F1-F80F-6305-6D05-000000007502}62281012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.166{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.166{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000300834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.104{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000300833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.104{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000300832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.104{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000300831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.103{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000300830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.103{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000300829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.103{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000300828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.009{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.008{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.008{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.007{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.006{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.005{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.005{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:08.004{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.998{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.998{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.998{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.997{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.997{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.997{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.997{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.996{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:07.996{D25361F1-F80F-6305-6D05-000000007502}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 23542300x8000000000000000300976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.784{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91FB4BB5571999288FDEF2119AF02A1B,SHA256=B5663199E272DB2267F8B9B0725F865DC6EA37D66ECA8B5B4B437F845A4206E9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000300975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.516{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000300974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.516{D25361F1-F811-6305-6F05-000000007502}67362104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.516{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000300972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.516{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000300971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.369{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000300970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.369{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000300969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.369{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000300968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.369{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000300967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.367{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000300966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.367{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000300965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.367{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000300964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.366{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000300963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000300962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000300961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000300960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000300959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000300958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000300956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000300955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000300952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000300951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000300949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000300948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000300947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000300945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000300944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000300942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000300941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000300939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000300936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000300931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-F811-6305-6F05-000000007502}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.347{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789B2B7E074775C6A068CE188B623C21,SHA256=86DA30900C0E92289909EE3A8EF35702C48178C6553A7AD076C053938FDFD6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.287{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.060{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0991C445FEE2F6221FA4E5AD4113DC8D,SHA256=7E70E0F9658A09BECBA0AA6ABACE868AD88C3108C86B15B65F29780FB6C8AA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:10.585{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588974411576DD52C694F5ED7898AB42,SHA256=9D253E5272FA03A57C38044FF27F606C981AF8B1F9C0FEA03C3BD79039F35BD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:08.721{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55210-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000312681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:08.001{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55209-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:10.090{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775F35811F80D9A1B56BB58608C3C65F,SHA256=FB462A7CAD46FDD299187CC5054BBC1A044A53AB0810D13E242F07C852FD7BEE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.820{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000301030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.820{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.820{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000301028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.113{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61458-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000301027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:09.112{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61458-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000301026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.701{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F623F38EB3A7137CD19F6A789BFF9450,SHA256=5F6B350D1089BE98981E9E59096151B8D00B212ECF8D3293C416C441E88E6C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:11.115{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5518DD3AE8F5E80378B70DE972871E1,SHA256=A546B27BA7598E0150C35A7823AD5F1664048C43DCB7600FCB421E0FF388ED82,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.616{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.616{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.616{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.616{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.616{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.616{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.616{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000301010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000301000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000300999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000300998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000300997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000300996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000300995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000300994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000300993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000300992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000300991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000300989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000300988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000300987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000300986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000300985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000300984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.601{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.602{D25361F1-F813-6305-7005-000000007502}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:12.748{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498E833117608BA6BD5755F798FE5DEF,SHA256=4F0A0471F1CC3766E5FA8E35B525005634125ABF842D1EAFFE35EC6241E84FEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:11.017{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55211-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:12.161{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8BF767B646C9426D8FACB9AF1CE79B,SHA256=79763FF236D14BA9E99566173D2C05EBE2310F1E43BDFB3B6DB2DE51AC78C021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:13.864{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02671A04D7F1053ABE3FB20FDDB5ECCD,SHA256=E361F2AF59B8A31EB72CB0105F6FE0FB8D3C1BB6F9804B67E36920E804B95695,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:11.651{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61459-false10.0.1.12-8000- 23542300x8000000000000000312686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:13.247{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379BF2C73F70D72CCD6E1A516B59C5FC,SHA256=3B64B77F47DF481C239C0E1BA564AEDEEF7C8C7E5B7742767BF81D757EAFD7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:14.865{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E53C4670DD3DC6D9934A76DDA2FA3A8,SHA256=C081488B3C127BDB8A0F3FADD0AEE0002FE3EBFA094E1C765112E155F2C45B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:14.363{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6E48F27A435D0E9A5F809F1D2B163C,SHA256=C32612912925F4A251FF658780F7426CD086A694B11EAEEA5BD0C8F33BC5F6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:15.902{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A0FD26F7FEBFF22F31BA994BC4F30B,SHA256=3616D84AD82A0637F764831C27C7A3E3E27EA9A960CA87E0993233BD43F7D77D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:15.997{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:15.989{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:15.981{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:15.975{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:15.972{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 354300x8000000000000000312690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:13.920{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55213-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:15.511{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D39F30B0588D031E16AC2E8E07530CC,SHA256=F26C7C03BEBDACA4B66AA057D850B5062F3A6CBADFAC2764E61287019B9B3CC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:13.304{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55212-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.878{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71D760A4A01E75DDDCA743EFFE7D029,SHA256=D0310E608954D482AD7F0756F4B4C2F13D35A079F51D8F9F1D6560771C54EA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.878{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55C1EC7798D766551DC64BE0EE217F1,SHA256=E76EFE6605FEA1A7B5B791850B88D789F298C907FC5410DA3A3B31F7B2416031,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:15.502{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55214-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000312745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.330{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.328{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.327{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.322{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.319{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.310{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.307{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.299{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.296{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.293{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.289{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.285{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.283{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.275{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.253{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.251{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.250{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.250{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.248{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.247{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.233{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.218{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.185{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.167{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.156{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.151{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.146{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.140{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.139{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.134{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.133{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.131{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.130{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.127{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.124{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.120{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.118{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.114{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.092{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.089{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.077{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.068{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.061{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.054{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.046{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.036{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.011{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000312696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:16.004{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000312749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:17.911{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10637600243A026FA628DDC1EB147DF2,SHA256=F0B691E51EE8A8C8852388F192D7D1F512646BB1A168FA8ABD061D6C50C26917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:17.030{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9263FA6F77308C1831C5F0A94652B7E0,SHA256=D539A6D2C7F4375AE5D24130CA23A108DF2A8FD211867FDA7BE87EE9B2423CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:18.162{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D70C15B6EB48C1FCE406B5EDF2CE675,SHA256=69EF1A6D473073769BEA002C67A02E337C9D956028B9B2B4CAE2D1F37BA6DFE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:17.548{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61460-false10.0.1.12-8000- 23542300x8000000000000000301039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:19.185{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CEC61A9EE445C7A700EE28C9572D1F,SHA256=CF34D364E361859E849972D8A524636C149E664F06769CCE797371FA1EDC5023,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:17.802{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55215-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:19.045{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD544F0AF54103A66781171845454B1,SHA256=52CD34DE853C49E077D242438E925BDEB5A9F485E2B861A750744949649746EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:20.160{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AE9959F352A0EC6B966DACF2574593,SHA256=7CFF64664E63B0A1A05721D587E9CD2404B5979605658863738075D8BA8A1C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:20.547{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:20.301{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25743CC55206E5F5051CFA9DBA7D4095,SHA256=257CA5A1B65E314FCE11357BDDFE25A70EA633AB116582728AAD2FDE726E9AED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:19.981{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61461-false10.0.1.12-8089- 23542300x8000000000000000301043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:21.384{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01708BD18AAB5E503E8F21523061CDEA,SHA256=1650BE238DC12A1C33E0DF515B5751E30F9B93896B71DAAED7E2FD3304F7351B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:21.291{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0271453C994EE30ECA6880BADC9199E,SHA256=F18E5FD8909017F7AE3BA50F63F39D4BBB87B5999D57C377552006C60C7885E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:22.486{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61F35F9A119022E375A211C27E27FAE,SHA256=CF33384A9929A13BD575341DCFBC86CCC238386ACA151D2001399D6C652363F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:22.408{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5767D5BF0E6F4553997C6A608022E1,SHA256=9AFE065509CAD2332B9FF7EB87B56843631856DB9285193BF2194D904D9A6D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:19.984{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55217-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000312754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:19.948{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55216-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000301046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:23.587{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846B9A168A52C57D830B3926CD310295,SHA256=07643D04B3F84CE28805B0960F7E641753675C2D91577D076C0EDAA3F9C7C4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:23.528{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F5EE20490B5DFED744A2E3768E252F,SHA256=A1C9FD6AF76742A088918EB591F9DCF44CD68FC563B1D8001B99C08A4364358C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:22.584{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61462-false10.0.1.12-8000- 23542300x8000000000000000301065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.692{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A287D4F0FD5219EACDEA089C52A5831A,SHA256=08695534CCD0770CB1523EA40ABD293BBCEF0A87EE3F88A96C79B2F936772563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.676{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.667{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.664{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.656{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.653{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.634{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.628{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.617{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.611{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.603{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.593{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000312759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:24.627{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DBB45092E5DA29238512B4FE7A05F2,SHA256=5EBAD6A2F24D1DF4AD219EBA17FAA16FFE888961A30CB78FB8D318716CC72901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.586{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.576{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.565{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.552{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.545{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.489{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:24.485{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 354300x8000000000000000312758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:22.183{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55218-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000301072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:25.663{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBFD2E847C080A4059DA47D3D2B8331,SHA256=9CC9677A245B00127FCCF1B9CBC2B270C3FC201D80A201769267DEB39A01F410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:25.727{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025F849274D0B69775700A5A6DC63F82,SHA256=FB1A7073C270A8E3C02C9A2AE39937932CA90C5921F0326C4DFFBA775F7806FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:25.065{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:25.063{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:25.060{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:25.057{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:25.055{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000312760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:25.258{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=11402B4AC40F83D5FF7B2D68E7D14BDE,SHA256=06B4BE2587195D42ABEA71A1F1899DF460DB5613E637E4B53725297B5C19C081,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.781{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.780{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.780{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.775{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000301079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.774{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000301078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000301077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.771{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000301076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.770{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000301075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.769{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000301074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.768{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000301073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:26.735{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F039A8B7DBD75F912A21A3B79C4802F7,SHA256=FC3288ECD8FEA100D24FD82406E6A741D4A63A4440ACCD690EEB1363F0DB2013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:26.758{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC04A095D0F54C0FD50916763D414C8D,SHA256=212A047AA7649FD26CC467B94E09E0A24B74F697171C0BAC38E685577D61BA62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:24.466{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55219-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 13241300x8000000000000000301128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 13241300x8000000000000000301127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000301126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000301125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d8b7a1) 13241300x8000000000000000301124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x2cf73038) 13241300x8000000000000000301123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d8b7a1) 13241300x8000000000000000301122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x2ce433c9) 13241300x8000000000000000301121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000301120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000301119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.944{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 13241300x8000000000000000301118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.928{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 13241300x8000000000000000301117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.928{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 10341000x8000000000000000301116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.928{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-CFFE-6305-0100-000000007502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000301115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.928{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 10341000x8000000000000000301114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.838{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000312764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:27.789{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F7A6478054673C8A2B79D93D30175B,SHA256=AD97490AEE5E5668A549E8DE9BCB5C641FDEA78478A7463A03CD0A5CA1F0D956,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000301113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.830{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000301112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:06:27.830{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-854.attackrange.local 10341000x8000000000000000301111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.821{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.774{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.771{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.767{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.764{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.761{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.758{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.756{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.749{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.729{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.720{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.710{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.689{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.682{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.673{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.668{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.663{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.660{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.658{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.655{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.654{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.652{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.651{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.143{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.142{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.131{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.129{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000301084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.119{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000312766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:28.825{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BDFB0BE50A505D1A173060C7D5F04D,SHA256=B88C14F577A797756E4CF22E1DE68BD255B26938EEE1C0BC8458200ADB4F41DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:28.903{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7B10649B84F7BF970C6729D27D63F89,SHA256=290505574FCB0B7DADC02B632A5B40262454AE0494DC128FBAE3EC01A7952A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:28.168{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E827C4D52E13C4C0513EE9F9CC4E5225,SHA256=1823D8FA87B76C300C6CFE63C64AA49121468031F15C41D1F39B2366FA87EC20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:25.876{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55220-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:29.956{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9099CA4143092B5457ACFEE2B3B6166,SHA256=614EB1C84CF5254948318B8A735C0F839B8914565AC6D685BD0E7018F9B999CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:29.188{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFD8108ECA39212540067BB8C017359,SHA256=4DF1CD6B3FAF52E1E2043830744F50454720C04FA9AD843E7CF97D03C3A7F844,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:26.735{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55221-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000301136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.397{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61465-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000301135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.397{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61465-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000301134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.306{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61464-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000301133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.306{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61464-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000301132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.288{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61463-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000301131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.288{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61463-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000301138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:30.234{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039FD744B947AD5B6D432EC43968D689,SHA256=495CA6D9F523E3ABCABDD312C68DF76D1C9D66D93D5AFE2708BBEA0721F2B934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:31.350{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DD14A58DDA4CE730FEE56503E76883,SHA256=81DDE0D045960A0A432319AF877647DF1D89B4F170B79D2C985CB19B7EBD05E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:28.933{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55222-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:31.086{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71633B35F3353FFB50EF238040E775F5,SHA256=E191EBDCF498D12BB9107F842DBFC1DD4B7BF0A62B7342B049E9EF54ACA62EED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:27.717{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61466-false10.0.1.12-8000- 23542300x8000000000000000301141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:32.449{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD800CD8A49EB5E643D78AF68A7FA118,SHA256=04092AFCC6941029C094326AD3C22FCFA0ABEE925599339DCE056DCD3A3EAFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:32.186{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA1233D62E0A3F0802A3464BFB7B952,SHA256=D28E84C975C887EBF7AC83ADDAE4A4D6C224A510402CB20C63E60CB67154ADD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:33.687{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CD9734E832C358823CABF371308259,SHA256=C97D95D67013B5E0A9E47FDD8B83D87F6211B98FC1C06D7292D76328D612E6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:33.325{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79392C1C316939491B8E04F05459409,SHA256=2D48335B534971D22E2E03451D0936353DEA3B997556344606E5B90CD8F7835E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:31.233{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55223-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000301143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:34.719{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257764D9CADBE4C18294CF54E10E5EDD,SHA256=A8A2AA9F3209CB9B7A0CD93B47B85703FD5E8C42F8C9656B683AEB5F286EDBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:34.525{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A423CEBEDC33B5A3D30F13ED467BE92,SHA256=804C484C7C5B584FFDDB41A2576AF90B6E4A1E58C25FCF3E69D8E5404D534AA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:31.827{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55224-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000301144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:35.819{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE04E5AB13FB357941A3ECA6CFB3CAE4,SHA256=A88B0E5A40C1AC3EF92E7D5D4999F71E449DC3AE9C1BB47A0B4F63385877FC22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:35.994{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:35.984{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:35.973{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:35.971{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000312776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:35.639{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E262250917D6AEA3FE1119CA482D6603,SHA256=D675DCC241A278967D0BC69DB52761506C51B07311C9421DBCD4CE7F5B9E4520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:36.920{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C3FEE428A914181E15BABAA9739C91,SHA256=938C76DB103FFD64378E9304D5B6AC88B09AC58ED54B42C3BDBE2E0219CFDC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.707{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741344AC326B24384B15042712865428,SHA256=7F5A8E6C9BD8FA2B931E9169CAADFAFA15761F2C860DDA0BB7D9D676F1D1BD85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:33.536{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61467-false10.0.1.12-8000- 354300x8000000000000000312833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:33.515{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55225-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.401{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4507F6D6217F945CF87D2396B01F5FE,SHA256=701452B4510F260B30DDC5870AD9B3AAE425260B24882A81E5CD6E6D5A4B13F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.306{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.305{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.304{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.300{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.297{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.295{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.291{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.289{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.287{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.284{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.279{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.273{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.266{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.258{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.238{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.235{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.232{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.231{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.229{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.228{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.208{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.198{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.176{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.167{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.160{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.154{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.152{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.149{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.147{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.144{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.143{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.141{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.140{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.138{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.135{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.130{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.127{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.121{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.118{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.115{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.108{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.105{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.094{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.081{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.075{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.060{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.052{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.042{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.016{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.010{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000312781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:36.004{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000301147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:37.950{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9006BFCC8A33006BE78A4737EE9E1B62,SHA256=CF604DF7C58EBA72B14FE5CBAC0BB9A53DB2138313E6903A79E552839957ADC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:37.825{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE2CBD9275F54856112B5BF5D0054DC,SHA256=F0B1D31FD2C8DBA13EB170781571EEB24B0581DF2B71BDA7E10FF7767C28F48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.924{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BDF845B188FD85B9B0C6974D8BB516,SHA256=45ED7A2B88DC639487C6D52CE4529849E0B622146E81302B962833B3A0344905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:38.050{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BDF533C20281C425C6ADDFAF3CF0BA,SHA256=51B5A22DE5A585370A2CD674555BBFC47A4B6D1C48762971891C24F63C2FCC1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000312846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.332{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.332{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.332{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.323{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000312842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.322{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000312841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.319{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000312840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.318{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000312839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.317{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000312838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000312837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:38.315{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000312836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:35.795{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55226-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000301150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:39.748{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3882DA3AE138C3DEE56D33FF7591C0E0,SHA256=8D50667A3BCBFF45CC71200D7B990825D8B0D2F2B0FF1AF3407F7A691C55E4A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:39.066{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6951246D90D0D59D0BB1FB64A8F2C284,SHA256=6222DF9D0896A919B5051421BA4F53348DF4A092856000CE8FB687ADE03EF83B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:37.028{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55227-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000301151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:40.201{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52F9B963A6C1D864586AD5DE1DFA744,SHA256=0198370FEA4A326123147DCD9D48A2B37A9CFD6FF98909A7123E26544FB67979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:37.979{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55228-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:40.024{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A3FD50D3FC76D1854FD1F90C36586A,SHA256=0B431520B2E7B025D0DD8C31CE555D4AC0A56FCDE7095B6451F6480FF83BAC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:41.447{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C8A4D7C9865DA304941B88B01395515B,SHA256=4AA581F84D2642F520961B4D45E3E91015C619BE342CAFE7EC86B524CCA4D640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:41.317{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED94757416610C5F58C5F0FA22456B8,SHA256=A89C38AF81C1B6DB18A3954589E412708721BDCC6F136DECAE5EF89AA3DF1CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:41.170{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4C9EA8490842316CACF51D935B003E,SHA256=8B41D9A4F8CB82D18F1312FE121AEF34FC30473ACB65202D5EB947478799A8C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:38.667{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61468-false10.0.1.12-8000- 23542300x8000000000000000312854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:42.785{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E2566CFF5E253083D84D28CE60FDC07C,SHA256=9D04881D365B37BB22D1AD27013D2F3516527C5B71A221CCC206C0A7BD0C4445,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:40.279{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55229-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:42.285{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14596EB8B20F5ABD43C42FD49B2B5CD4,SHA256=39D934A61C21081D155A3791B7AC6819A121EEA3F2A656D86E639745AB454887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:42.448{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADFFD6FFC31D15F4564D48023C64BAF,SHA256=B2EE077057FA88B25EEF6EE7D748FC09392A7837579E56D2FC102D6F9D510C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:43.404{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C742D0ECDAAEC50C0D6363FE9852BA9,SHA256=F3FEBD786D0BA2F469D4FA9ED1DB4253C05FF4A07F794DF7E6A7CE186AB3C70D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:43.549{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485E6725D2943DD86ACA82C360E4D57D,SHA256=043843F298E2537730CC774428C55213A9BEA652C4F02D388F79F149F4C7F4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:44.469{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D273B20750FAC848EA86CACD2899FC39,SHA256=73CBFF64DFFA73BAD4BDA27FCBF734BD54768CBA06B04566890A8FE616916C7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.653{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000301174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.651{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32760572AFE64F26DCFE7689744FCC4,SHA256=5E0319FFEC55823E4ACAED51235F275AC8499D883D74CE6BADCA31E065B8841F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.645{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.641{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.639{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.637{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.613{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.605{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.593{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.589{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.582{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.574{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.564{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.552{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000312856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:44.138{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.544{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.534{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.525{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.478{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.475{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000312860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:45.585{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126BCD1F27BDE1B332F1B10A6A1E5EA5,SHA256=9CBCFA0DB984AFBE8168DCA88204174FFA98447E67F01F38F86FD61C65F55EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:45.589{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2F9D12E35A9BCC3D88AC2606E8F6B6,SHA256=00E68319403D83E56E12986E62B98DF0940944B30AECDDFE119DDC1E5909B75A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:42.985{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55231-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000312858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:42.493{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55230-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000301180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:45.080{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:45.078{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:45.075{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:45.072{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:45.070{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000312863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:46.702{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA68398F0FFA535FF66C0AAB34D7C97,SHA256=F9EC5AAF56C58B8050EE92EA6D5A5226355D243AE6FB570F9F1CFF9A72656956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:46.671{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0A2AFDC9692FFC81B2BC487E9671D6,SHA256=3183CAFEDE70747146EE4C84C9F918F2ECF8DF6A1D71C8E006BE59361E198DC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:44.777{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55233-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000312861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:43.909{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55232-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000312864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:47.803{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D7BAE3C6578991D3D3137E2E97D007,SHA256=5A22B2BAA1C9BB08EF633B3848A0BEE64B4252149F23E44444500C2B45350DA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.819{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.816{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.813{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.807{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.803{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.796{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.793{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.782{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000301203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.778{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3253B4B769F0E160DE219B40D98736EE,SHA256=89ED453317DAF32F6289C063C4DCA3BE064CEE7145AFC1560044EA815F7B21DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.745{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.729{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.717{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.689{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.677{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.667{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.661{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.659{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.654{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.650{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.646{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.645{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.641{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.639{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 354300x8000000000000000301188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:44.668{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61469-false10.0.1.12-8000- 10341000x8000000000000000301187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.135{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.134{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.124{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.123{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000301183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:47.117{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000312865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:48.901{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76377594DBF3BD47C168406A7BACCFD,SHA256=A165F969F480AA39648634940525DC842101FD2F2D4CE6ED8C104131C350786F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:48.769{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EBFE58AACA9BE7A9BDAD654DF195FB,SHA256=B777B91A3CF90C1BA3CB4C649668B57FFC17EF738E0D53F2CD9C05AB865B84A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:49.887{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEBF7865126B4D14D2E5FF917B89396,SHA256=0333C358139C00968A07F9EB046CCE5D49FDD37F3F1A182D59D20ADC0916B8AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:46.975{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55234-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000301214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:50.989{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA6C685760B6FD801C6367C719829BD,SHA256=656FA0188C48704985E0934CA2EECF9AC9C5A02541B204A14CD5689E5FA004C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:48.885{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55235-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000312867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:50.020{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74884597F0903E5CB73DFF016175A65,SHA256=CDBBE906EFCD0FFD8D2DA5147A063D340BC110F0A646BABCDF4C98416BF942F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:49.259{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55236-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:51.051{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172E319C15B677E9AEE350E58598FEAB,SHA256=2EE2915FDB30BE2BD21E370541D29B1ACCBE0E5C6FE43BF2B110C2E3D7C447B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:52.181{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189EA65B451E59E14AE9A4D7A9627494,SHA256=238C2412CAE1395BF2ECD87104BBD61451350F563DA1E44E4DF28A2C44944C0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:50.602{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61470-false10.0.1.12-8000- 23542300x8000000000000000301215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:52.134{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCAB39C0B27D8513FE25250A73F7B74,SHA256=FEE8C1A598C4F6A23C0102359BD2316413FE4FA322E4C2EE7FFB45639104872B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:53.137{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FEBFA226D6C20493ED21BAFF018BFE,SHA256=EEA8D4148B830BD2A1C99BA0406A59620995028A54D0AB4B2B1B33819851BE07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000312925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:51.443{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55237-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000312924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.621{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EF56C4E4002A1DBBF8C3257FF3AF64,SHA256=A582BB8CFD52D72980D959A533AE0FD90C67724EEB7012F298004F595F21BC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.621{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8B0C83A59969ADC394D76E5D24061C80,SHA256=897411D9D6CAA0C585224BDB39EC20961BFFA7A79DF8139B04CC7BA6A8B35054,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000312922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.249{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000312921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.249{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000312920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.249{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000312919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.102{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000312918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.102{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000312917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.102{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000312916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.102{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000312915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.102{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000312914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.102{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000312913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.102{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000312912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.101{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000312911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000312910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000312909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000312908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000312907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000312906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000312905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000312904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000312903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000312901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000312900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000312899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000312897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000312896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000312895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000312894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000312893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000312892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000312891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000312890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000312889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000312888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000312887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000312886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000312885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000312884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000312883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000312878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.081{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.082{F6DB49F2-F83D-6305-CA05-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000312927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:54.352{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63EAADE1356C5CE36CD271C36866A42,SHA256=D3BD10913DA0A84866E274517E71DF3E59FF75BB0FC4977F94D70E4F39F5DBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:54.241{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAE209E0220B8B0BD58648241CBC0B9,SHA256=1FA7FB8490E8C533C523A6F18E4851AC3841A43B3A09CBA8F36FAB282EA5F757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:54.152{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77C1E10AF20DC401E36667713941119A,SHA256=853F4D5FA887A9FF0F5B2FCB42EBF3A0FB9C68FD1490EADF15AD62DCA035139A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:55.267{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3AD41E1E26EC63FB7E20A84D083CBE,SHA256=45563E4DB7AA5B598FDA580B3B1B033CB4ADB4D7CA54431CEBE08C8DBC28135F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.990{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.977{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000313036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.970{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA70D52F00714998682D2750AF0CC53,SHA256=E16CD059A02DB1509C349B98BFF828B98C0C6D0BC7841F8C21F9E1683BC7DADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.967{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.964{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000313033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.963{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.963{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.962{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.961{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.960{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.959{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.959{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.958{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.958{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000313024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.951{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.951{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.951{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000313009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000312997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000312992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.935{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.936{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000312985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.939{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55239-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000312984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:53.628{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55238-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000312983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.529{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DC30032B07BAB6E315669839784A97DC,SHA256=CFC42AA1380E2F5001AC8484929BBE003AF3D42527AC9E0F932063248759C6AB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000312982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.464{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000312981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.462{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000312980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.461{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000312979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.282{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000312978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.282{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000312977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.282{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000312976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.282{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000312975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.282{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000312974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.282{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000312973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.282{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000312972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.282{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000312971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000312970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000312969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000312968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000312967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000312966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000312965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000312964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000312963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000312962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000312961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000312960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000312959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000312958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000312957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000312956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000312955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000312954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000312953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000312951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000312950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000312949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000312948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000312947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000312946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000312945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000312944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000312943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000312942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000312941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000312940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000312939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000312938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000312937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000312936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000312935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000312934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000312931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.266{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000312928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.267{F6DB49F2-F83F-6305-CB05-000000007602}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000313095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.539{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC4FB32EB17A8A8B0E05D9F0FDA4BDC,SHA256=B8D5875DF6B769EA671B3EAC3C7AFA0E454D7DDF8EE6D07B63B095A488EA4FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.487{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0068EDDFA2BD9637A9DB89B0466D3C32,SHA256=8B72C41AA7F2C3CA5F4E2E6F4F96C581AC7853B377B94DBE099A68F2FEC18516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:56.386{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1E57B24E47FE41E5CE1D5AC2E05CF9,SHA256=7E157C3BF3C2E4ACF9B2CF03F714B27AE8314C08E1BA29C34083BCBBA3CBBAE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.399{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.398{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.397{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.392{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.387{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.385{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.381{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.377{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.366{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.362{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.358{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.355{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.352{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000313080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.352{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105E8C15B826E14CD96B32BF2166B4CE,SHA256=33B4BFB3CEDBCB9E92FEA204DA8B45D6122126B273A3EADE09B464BE4C6B4DD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.345{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.318{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.315{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.308{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.308{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.307{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.307{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.295{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.283{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.261{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.255{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.246{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.241{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.240{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.236{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.132{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.129{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.128{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.125{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.123{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.119{F6DB49F2-F83F-6305-CC05-000000007602}3144328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.119{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000313055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.119{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.118{F6DB49F2-F83F-6305-CC05-000000007602}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000313053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.117{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.112{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.110{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.107{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.101{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.099{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.084{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.075{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.069{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.061{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.054{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.043{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.017{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.009{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:56.000{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 354300x8000000000000000301222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:55.684{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61471-false10.0.1.12-8000- 23542300x8000000000000000301221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:57.486{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CDD622747C32FBE9163CD0B1A501D1,SHA256=23B8831F6BE5E2A41B9DE90A9CB92A49B9F0BB10867FBDAAB1D41DB04A6D678D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.619{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A49E667E2B1DE16BFF6DCDD52F7088,SHA256=367DD97526209A01CD7E467420CD8CCE0ECDF48DBF69165D25CC7F4543E08A03,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.604{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000313153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.604{F6DB49F2-F841-6305-CD05-000000007602}21642520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.604{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.604{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000313150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:55.908{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55240-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000313149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.502{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.502{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.502{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.501{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.501{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.501{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000313143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.451{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.451{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.451{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.451{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.451{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.451{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.451{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.451{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000313122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000313108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000313107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000313102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.435{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:57.436{F6DB49F2-F841-6305-CD05-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:58.632{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C8B472727C7CD252CD0C862FCA47A6,SHA256=4F3A24C44764BC11806DBB66FCCB639C35B36F2C030E149EA55B813AB6DF3066,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.903{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000313259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.903{F6DB49F2-F842-6305-CF05-000000007602}572920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.903{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.903{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000313256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.735{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000313236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000313221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000313216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.722{F6DB49F2-F842-6305-CF05-000000007602}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000313209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECA0EDB3E2367FAFE7548B60FD3FD20,SHA256=23E29837EC26C3556657964AC578A37EAB83626B03B4E33D816C1E3856E64D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.719{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6F6C8CCDCB1FD3A07518089CAEA644,SHA256=F5D77326BC574415380EEA4437D506C4650DDBE577A80CA96E34D3983E5FA346,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.258{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000313206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.258{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.258{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000313204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.200{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-166MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.119{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.119{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.119{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000313189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000313171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000313167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.103{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.102{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000313162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.102{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.102{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.102{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.102{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.102{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.101{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.098{F6DB49F2-F842-6305-CE05-000000007602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000313316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.999{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFD98734E91345F98FB759A9BE54587,SHA256=5FE77BD8F64425249255C0227716644CF7C474692CDE0BB316C7A52FB5D260F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.850{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D5782A1ACE3B90668B90CC70A45664,SHA256=BF1BBE08A75F07A3504FDB9576D6E2AC0FCB4101A0001F3316AB040525083CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.850{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A28EFDB3B9549E87FB09FB69A2FADA7,SHA256=E84D0169C092DBFBA0C8EE343E9A36DFA0D7570874829CD1B82A19A1535C42AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:06:59.764{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB36F46813F92CD9A5606A8A70F97DD,SHA256=F866F12FC8CD28A09070E1B0EC0ECA07D3294404E3ECACC9FC454563620E0043,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:58.191{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55241-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000313312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.563{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000313311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.561{F6DB49F2-F843-6305-D005-000000007602}18363232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.561{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.560{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000313308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.404{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.404{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.404{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.404{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.403{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.403{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.402{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.402{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000313288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000313273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000313268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.382{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.383{F6DB49F2-F843-6305-D005-000000007602}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000313261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.199{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:00.966{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A7D46830EBDF606921F3EB7F7EAB1A,SHA256=20BE746680461F7D2667A97D33871817381D35156214E05D08AE7A4BABA5EB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:00.830{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA867ED9F93E1F71D8A63445C0E34093,SHA256=95F24A7CBF0D3510C9EB80669FE4A04F40D67E59D6E22461165BE0317B6634B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:01.929{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A3CE95EAE910DD22A37DBF7C56402D,SHA256=2F123FF0CA3DD58E69FC887577B9896D4AB35E3F2B08A19B0F119B215FFCBC6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:00.382{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55243-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000313319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:06:59.984{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55242-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000313318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:02.081{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95B617380B5DFE0D160E3BBEC3CCAD3,SHA256=731C60760838369D1B2F48A5A06C31BE33DC77B67B408E8C2F12283DD9DAB60F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000301231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:07:02.767{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x8000000000000000301230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:07:02.767{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ECEB3A25-E485-410F-A879-889ABA3F8BBA\Config SourceDWORD (0x00000001) 13241300x8000000000000000301229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:07:02.767{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ECEB3A25-E485-410F-A879-889ABA3F8BBA\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_ECEB3A25-E485-410F-A879-889ABA3F8BBA.XML 10341000x8000000000000000301228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:02.763{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:02.763{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000313321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:03.200{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AC24E001B21C1D1CCCA3DAA1AC1FB2,SHA256=C78478D807A63E1294FF9014D61F7B4F357C20BF34DD741B6C287010891D1F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:01.564{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61472-false10.0.1.12-8000- 10341000x8000000000000000301235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:03.610{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:03.610{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:03.610{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000301232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:03.045{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DA13D616A7C012D3594CFC07BB8D35,SHA256=A08E3CDADDBC68E29211E6575449E91E4E53E1EECD6A5061894826586B6AD5F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.695{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 354300x8000000000000000301268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:03.076{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61474-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000301267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:03.076{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61474-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000313323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:02.589{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55244-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000313322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:04.320{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B86341795A4216537B41E0BD7A8BD8B,SHA256=227F869646591B9F9B04EB466BD98AB82E0BF63E483DAB8D775D4A5C684C91A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:02.246{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local55750- 354300x8000000000000000301265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:02.244{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local63670-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000301264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:02.244{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local51335- 354300x8000000000000000301263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:02.244{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local51335-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domain 354300x8000000000000000301262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:02.230{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61473-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 354300x8000000000000000301261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:02.230{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61473-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 10341000x8000000000000000301260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.688{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.685{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.683{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.681{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000301256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.667{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=499C11C3D36A40939C528715B0297201,SHA256=408B1074E1CFD30E1E6F60AD9E653FB0C254041D71B985C89026C95B7208D42B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.642{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.636{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.624{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.618{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.613{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.612{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.608{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.600{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.589{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.575{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.558{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.548{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.539{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.478{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.475{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.445{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.445{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.445{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000301237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:04.162{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE629A91CC008C3D06242E50652E660,SHA256=E920E106B0B39F145440E03D5E7F4CB60CFA5DF259C179FAFDE18364FC65E011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:05.451{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DAE255F7FCCFEC448EA41A4E8DAA6C,SHA256=F0FE764919D378A16A9BB670594B6BF7C5937348A1391F82668FED601F191B7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:03.911{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61475-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000301276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:03.911{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61475-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000301275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:05.332{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB57BA5C5B5E47CD74130F898AFCD49,SHA256=5480E4309C412ECFEEC86A28D51730B58DE752A281F1B50E7905F357BC2695A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:05.134{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:05.132{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:05.129{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:05.126{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:05.124{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 354300x8000000000000000313327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:05.006{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55246-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000313326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:04.858{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55245-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000313325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:06.537{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7D9AC524101FE7FA2E0E41318143D3,SHA256=0DCDF7B0B8BB2C8ACBA4A96610DEF7CB953B6967AA8586492AB7AAD25A3E4EFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.872{D25361F1-F84A-6305-7205-000000007502}67325640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.872{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.872{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000301382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000301373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.712{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000301362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000301361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000301360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000301359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000301358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000301355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000301353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000301350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000301349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000301348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000301346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000301344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000301343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000301341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000301335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.696{D25361F1-F84A-6305-7205-000000007502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.635{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31611178F5643404920A6D4AAA8B2E30,SHA256=A9139FD35EBE0052586A81D958DD7B2D379F50F83836179A9CD1FEE0CF603F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.502{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E1E6ADB4401E8944FFC33B247D1A34,SHA256=CA9985EAF9FEEA4EAEAA0A486617054D93A8BC3BC63A28FCD78FE5B4CF2EADFA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.249{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000301331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.249{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.249{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000301329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.064{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000301320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000301313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000301310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000301309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.046{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000301300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000301299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000301298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000301297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000301296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000301295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000301294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000301293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000301292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000301291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000301290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000301289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000301287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000301286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000301284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.031{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000301278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.032{D25361F1-F84A-6305-7105-000000007502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000301512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.971{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.970{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.969{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.968{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.954{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.954{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.953{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.953{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.945{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.945{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.945{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.944{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.944{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.944{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.944{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 23542300x8000000000000000313328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:07.652{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE67C7F8650C0CC87F9DCAE774214D4F,SHA256=BA9D813BBDD922D52D20DFB3D21A66711C03D73A438BF592B1E5FF840929E3F3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.943{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.943{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.943{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000301494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.943{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000301493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.943{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000301492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.943{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000301491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.943{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.943{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.943{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.942{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000301487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.942{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.942{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.942{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.942{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000301483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.942{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.942{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000301481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.941{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000301480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.941{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000301479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.941{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.941{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000301477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.940{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.940{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000301475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.939{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000301474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.939{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.939{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000301472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.938{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.938{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.938{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.938{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.938{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.937{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000301466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.933{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.846{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.844{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.841{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.839{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.836{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.829{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.827{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.819{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.800{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.790{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.774{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.753{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.747{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.740{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.735{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.734{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000301449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.733{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF339CAAE3631C6A965D849E51F67AB,SHA256=518B5A6EF348A195ABA9590451830E1808E2144C316B3EB95A44AFB9B94D33A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.731{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.677{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.675{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.674{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.672{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.671{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 734700x8000000000000000301442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.435{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000301441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.435{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.435{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000301439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.387{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66AA8E89486BF15444C2F96CF9FBB9B,SHA256=9D516A07EB81904C248EDE50D85389DB52FEFC1888343BE2B2993435A1B6E4A8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.288{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.288{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.288{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000301424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000301420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000301419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000301418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000301416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000301411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000301409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000301406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000301405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000301404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.271{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000301403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.270{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000301402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.270{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.269{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000301400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.269{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000301399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.268{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.268{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000301397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.267{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.267{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.267{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.266{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.267{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.266{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000301391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.261{D25361F1-F84B-6305-7305-000000007502}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.168{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.167{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.157{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.155{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000301386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:07.150{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000313329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:08.722{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781613C88AF8026EFB6419A73A156B69,SHA256=7C3F4B932226DE4CEFC687349A169DA7AC4F396D01CA9395933F780F9AED253B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:06.569{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61476-false10.0.1.12-8000- 734700x8000000000000000301570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.772{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000301569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.772{D25361F1-F84C-6305-7505-000000007502}588860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.772{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.772{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000301566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.638{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.637{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.637{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.636{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.635{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.634{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.634{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.633{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.627{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.627{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.627{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.626{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.626{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.626{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000301552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.626{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.625{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.625{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.625{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000301548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.625{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000301547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.625{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.625{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000301545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.625{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000301544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.624{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.624{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.624{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.624{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000301540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.624{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.624{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.624{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000301537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.624{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.624{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.623{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000301534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.623{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000301533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.623{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000301532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.623{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000301531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.623{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000301530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.622{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.622{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000301528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.621{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000301527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.621{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.620{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000301525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.620{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.620{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.620{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.620{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.620{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.619{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000301519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.616{D25361F1-F84C-6305-7505-000000007502}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.355{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEB02935F9F4E1A010BC1D286E12827,SHA256=ED8615EA232410B0155A4083820E29B02AF35C4623D3E9D2BD26A0DEC267B46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.324{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1C1D9044DE69C2E44B07EBB572DDB085,SHA256=A326BBBB936B6E55F4363B57A69C976E0065F23E1B5493F42C9E6484A3EB9C25,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.103{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000301515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.103{D25361F1-F84B-6305-7405-000000007502}63205908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.103{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:08.103{D25361F1-F84B-6305-7405-000000007502}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000301625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.951{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E96235AE61A3201D0840B1E34A61F87,SHA256=AE93276259B174B31A084E2F7C4FED528FBFA3CCABDA8767DE6BC38A4AEB1725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:09.837{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9FBF6C7807AD8643A2256A0371976F,SHA256=FD7BB38CB27FF8A0D402960EA13B4BED5DABF46E7DEDED6AFF1B817B4BDE4942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.813{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-166MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.519{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000301622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.519{D25361F1-F84D-6305-7605-000000007502}59404784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.519{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.519{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000301619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.306{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.306{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.306{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.306{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.306{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.306{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.306{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.306{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000301605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000301604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000301600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000301599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000301597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000301595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000301591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000301588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000301587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000301585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000301584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000301582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000301581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000301579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000301573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.288{D25361F1-F84D-6305-7605-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.050{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C64A60CC475F448318A0615270AAFD,SHA256=12C0D148FB1E8C710A48F96D45C2B48161E3E370F0B519CC907887B2F8A5B675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:10.952{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DDA787DCDA08A369E75B9DA2BA5E47,SHA256=D645866C7509C575029C11AEACE2C01C0F44A9BB712A35A34374B19EFF8B8D17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.114{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61477-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000301628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:09.114{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61477-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000301627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:10.821{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:10.765{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D802634293D43D95033987B5942DDD57,SHA256=F575C58759ABF823C4793332FC40061EC3B6BCDA76FB92ABFBFB15CA94756130,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:07.128{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55247-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000301687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.851{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000301686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.839{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.839{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000301684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.727{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000301683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.727{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000301682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.727{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000301681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.726{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000301680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.726{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000301679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.726{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000301678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.635{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.635{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.635{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.635{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.635{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.635{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.635{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000301665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000301655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.622{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000301652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000301651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000301650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000301649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000301648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000301647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000301646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000301645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000301644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000301642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000301640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000301639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000301637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.604{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000301631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.605{D25361F1-F84F-6305-7705-000000007502}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.051{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52D654D3967C65FB0E1513EE74380D3,SHA256=0923F1A6350A7E35C8F228BF27BB728084E2C2050DDA7B7B7173F46465E63C74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:09.312{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55248-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000301688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:12.189{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF64A76F728ECD34FD81997A5355600,SHA256=E29EB38D0FF91924B6C3F445CDB8B614F1385A3654957FA07EDFD37BBFCFCE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:12.083{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D3F40BAA4953C16E11B651BA875B77,SHA256=E5AD6D06A9FBFAC51B231F7567526BF931D4D95F5569825C4D08F9A11F7E5BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:13.304{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D20E2238025473F3D53ECFBB4499E39,SHA256=8BFF33916D2374AED441B42DD935C0DD6CD49624D0D94A06D13FDE6DEF4E41C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:13.200{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80159692C3DD716BC9A10858F8FF9660,SHA256=D7CC622A7E96FBE262B93483DF61C30A26E78B9E40F4CF72035E0763588609A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:11.591{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55250-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000313335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:11.023{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55249-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000301691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:14.450{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983D1428CA0C13F150481CA7D28EB8A7,SHA256=F68763DF75C3A6BEAB6B5E34DE8FE53C8566EB4115B0F42A7F8009FCEC1255EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:14.200{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AEC8AD3031D67C36A7DBED393FDDF6,SHA256=AC4072EED52F33BDB34AFE0016783381DE6CB1681BD8BD77AAAF7090372ABF20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:11.687{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61478-false10.0.1.12-8000- 23542300x8000000000000000301692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:15.587{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFDECFE15CA914646DE79C666C91A9B,SHA256=7E24C654A605C8B7D3E0FD6D9DC4B8380C43F013E83ECF07807CD6F20358346F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:15.993{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:15.985{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:15.969{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:15.961{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:15.958{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 11241100x8000000000000000313342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:15.819{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\SiteSecurityServiceState-1.txt2022-08-24 10:07:15.819 23542300x8000000000000000313341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:15.819{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000313340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:15.819{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\SiteSecurityServiceState-1.txt2022-08-24 10:07:15.819 23542300x8000000000000000313339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:15.319{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3898FEF89277E58B9EB6B9102ED2CC0E,SHA256=B3BD35077861ADB98F6FA3E83687F3B2FDF6C2E0FFBE3B4D52CE646AEC35079E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:16.685{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2DB47AEB305B920B59E9484A28FADB,SHA256=BEF31E66EAA30D2B4BD812EDCF312E4B3D36CCA7844E80C5981B164B90ADB702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.603{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECB2902A8902E6905485A4CE336C219,SHA256=235E82E87983452E08F0673B707D1B21EE5C1AE4F8F6F90A0178B32E9F92C73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.603{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F54B0DCBF632449003650CB1A57E13B,SHA256=68CAE45A33B4EF95156E49235E4FF2CB1DADB192EEDEA2FDAF17432A66FBD43F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.301{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.298{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.296{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.292{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.289{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.285{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.283{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.280{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.277{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.274{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.270{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.267{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.265{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.257{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.236{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.232{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.231{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.231{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.230{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.229{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.217{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.206{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 354300x8000000000000000313376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:13.874{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55251-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000313375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.176{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.165{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.158{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.152{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.146{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.145{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.142{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.141{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.134{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.133{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.131{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.127{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.124{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.122{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.118{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.116{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.110{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.103{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.101{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.086{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.074{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.066{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.059{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.050{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.037{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.011{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000313348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.006{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000301694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:17.717{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A870E29A2FA509E262FB82AA07B7FFDB,SHA256=0A7B6A5C5903D8CAED40CA58B3172D775124FAB9787FC222FC76BA7BB1B75085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:17.719{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7232D2B434A72EE5F448F6DFD81F3B,SHA256=F5D9DD4DFBE1C4E91891357B2E7BB25E0A63DF8AD445179FB5B1C902BE25B36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:18.834{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F611657D72F88BAE6B7FC6D07230EA5,SHA256=3BA1269825F1C3F03E47CEE6BFC922658B2B20A548012B627815599217C5F3BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:18.834{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB472E8B5E0DB5EFB92D03C7836271FB,SHA256=2DD6E6416124C8A4660FB5A2F9F7AFAC3E889149C3D7FAE4440F13CD17ECB85E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:16.045{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55252-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000313405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:19.952{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8738270796B7A5EF673ECB30CD341A7E,SHA256=ADE3F58176903C1F42DE873285996BBE625F34FF6D76A41B3726C76B0898C15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:19.864{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D776CEFB5CF0E61019005FD3D765D3E5,SHA256=BC6688C51602A0B94C504C00AAD5DF94F3E1FD74799064A0E0B684840549DD43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:17.037{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55253-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000301699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:20.966{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97905801B2D408C4BDFA4AA93EB642CE,SHA256=ADFAC4BA5A24597B824070ECE37380967F33F60A9721CF9A07968362C96E5F70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:18.343{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55254-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000301698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:20.568{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:17.651{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61479-false10.0.1.12-8000- 23542300x8000000000000000313407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:21.068{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576E81FDD60186607BE07D949442D071,SHA256=37D479A27AD6054B81EE68DDA21077C8A920EDE334DD59CC630D497502B8A859,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000301704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:22.515{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\SiteSecurityServiceState-1.txt2022-08-24 10:07:22.515 23542300x8000000000000000301703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:22.515{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000301702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:22.515{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\SiteSecurityServiceState-1.txt2022-08-24 10:07:22.515 354300x8000000000000000301701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:20.012{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61480-false10.0.1.12-8089- 23542300x8000000000000000301700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:22.064{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116FAD4DD3A7C8169A2D246E54F0814F,SHA256=4A50CA04264240A94DC9DAB5AC891D5DE55C897FF23348DDA185C8EADAEF68F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:20.528{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55255-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000313408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:22.136{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3354803C2A89F6B961E9CADFDB1600F3,SHA256=9BD1A86C92F4201A54DE59CD3B647ED1F34747629863B56B00552204053643BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:23.200{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F692B1A34FB4002B1AAF3DE22354FDD,SHA256=56D461270704BC8A0F66E266BC001909DCC11F644E01C885C4F82A2C58A4803B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:23.251{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AC95E1B6EF04D3E65277C9A8FD20F8,SHA256=5F850D03D2C7D91B33BC481257CA530B4B203B8B23CD55008547192F45BC6E0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.695{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.687{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.684{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.681{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.678{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.651{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.644{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.632{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.627{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.613{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.603{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.588{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.569{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.561{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.551{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.544{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.492{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000301707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.488{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000301706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:24.234{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C96A39FF4EC70BB08C4CE6FDFAD2A27,SHA256=C92996073405AD406ED7BE2D95A4B795625DFF2133EB7FDAA454287D4D86E90A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:22.809{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55256-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000313411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:24.381{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F344D0D8186BF624E4B4E0306ED7D07,SHA256=04352DBBFA306416F1ED36298C73DB011220C2C518F46C0EC89EBFE314030993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:25.269{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A570F4BF81B302BAC9721A5C99D234,SHA256=6F2E35333FDE9DD6F399333EBFC65F743A8BA43BE9BBEEE5471B4348BFF45D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:25.766{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F4CC58D0189D60FEAFC57D391230A2EB,SHA256=F01A438FF6B8536553FC4FC7C9D5E9D9EBFC50C65329DE56579AFF6C6E333931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:25.499{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74881845F8423D604A8E02C04FC4A71,SHA256=601DD2C42C8AFAC4A61097FA0DFC61F0575F2E730E67886A2F035F1C838D43BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:25.156{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:25.154{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:25.151{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:25.147{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:25.146{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 354300x8000000000000000313413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:22.861{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55257-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000301742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.802{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.802{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.802{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.796{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000301738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.796{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000301737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.795{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000301736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.787{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000301735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.787{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000301734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.787{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000301733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.785{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000301732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:23.617{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61481-false10.0.1.12-8000- 23542300x8000000000000000301731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:26.347{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513C28E16A7CB1B462ADC75F41FE3915,SHA256=2F34856F45F01FAC94F073E1BAD9DA975A68D1E068983CF4611711483878C9E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:26.582{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD72E8559F96BFBCC523E43678941AD2,SHA256=A144EF6F56C0991F47D37E88AC12E77DE701AE45736051B35C3A2224D1731D6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:27.699{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805839A088CB1014D68CC352D24565F7,SHA256=47F6E60AFA3030A69135AC145CDFB3881AEFAEF0C8E74BD8C30E408BDBAD9025,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.866{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.862{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.856{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.852{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.848{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.845{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.841{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.833{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.808{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.793{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.770{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.746{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.740{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.731{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.720{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.718{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.715{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.711{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.707{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.706{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.702{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.701{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000301748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.447{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609F36DAED9E2AF3A335384FC1E68A64,SHA256=BF549F35C9CAC490AF0B0064052237D47503F526479BB5E65DF6DF1383183F8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.186{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.184{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.173{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.172{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:27.165{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 354300x8000000000000000313417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:25.004{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55258-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000301771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:28.769{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894CB1147B37C1A96C9A820B9A121F3F,SHA256=4683175A98ECF8D6A2FE77B8D9E6F0CD42FBFF93A4E5976BCC65A23C567EC32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:28.782{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5C567FE4FE003B9BC95ACEA1E4B523,SHA256=21FB6DE0B3535B8054AE695AE1B1BDBAEAC6C6B79F028E376A95C82FD4A38EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:28.019{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:28.019{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=4CC8F460D901C1D97903A313E2820CB7,SHA256=8FFD3CA8BBBF6467B716A3EE235734C2E19B7D94BCE0C30667395F8C550C27E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:29.901{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4B133733C9E8A9395C73A1CA6DCDE9,SHA256=B093EC3C36780BAA974E0F50E94E94D32C99A1F6FB9B511D83C83E42D1472B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:29.899{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF199DFEE46A556BCFDA5C3F8AF02F3,SHA256=7E85C62625CD8160FD9316E23777EC3F5C87DAB4BC56240C816D8A7EF0742CF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:27.918{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55260-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000313422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:27.291{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55259-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000301774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:28.712{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61482-false10.0.1.12-8000- 23542300x8000000000000000301773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:31.014{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A6E8BA4854711DA25A755F4188D2C3,SHA256=83AAA29ABEB878A8B105C97AD5EACBBD980B073D5691B6FAE4ECA186B8C0E304,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:29.574{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55261-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000313425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:31.021{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05A3E6DC412F8AB1DE11D00B5F00898,SHA256=F02D7C23BE977E86CC986E901BD7B200193852D7BE643111FAFD95812291FB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:32.129{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248ADB712700BB69B4956CF70BBAAEBD,SHA256=825629D72906D309A2FA3FDEF650E86874A669CB39F043DC1789165187093DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:32.051{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B65E816F64B2BBE6FFB150BA455C12,SHA256=38D90084906793D468F694971808931EA207B9DB9B63672EE7869B12430F05DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:33.245{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D2DA8B960D4B9665E4E6D2D7D9BE89,SHA256=886D8B954A9086F08B72AEFB447E5FDEF050997619B88DA7753637B56B362D7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:31.843{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55262-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000313428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:33.083{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E934C5876F079840BC3B34B5CE551A0,SHA256=7E5CA00FB2AB6F08E74253FBA623A4042C92B3492FAA3671A1F2094DA9116B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:34.862{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D8AA485E3124F21A9973585672E6C19E,SHA256=DF57F00F140D1DC996649E21DCF7319851DC95BADB580FFAB0A097EB1503C213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:34.383{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971CDD17354D2A70B606DC4EDA065C7E,SHA256=C637C27812B678A343086F5BBB44358C7CFDBA784CFF481ADC74A8C8BD3BE2F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:32.937{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55263-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000313430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:34.200{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B430E19D54A00722A0E2B636DDC593,SHA256=49AE6B530E4E1BCC42333C7E7F5B2531293C9FA317D88A2C9FFBAE151A9AC84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:35.598{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC6B9D6A7B709B58A038C5FBB5DC836,SHA256=A1C8E4B07EA6D70365F1B50538C954C93793D9D28E15E95C02912E3667DAD915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:35.304{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121494FB840E8E43C2F13BFFAF369CF4,SHA256=6A85D070BC9412DE733BF5D308AEACF67EFF28C01CE74504979FA31C2AB316F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:36.728{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3694DEFF679FFA0CB31698B8E24C1C9,SHA256=AE51687D8E3E9FF6624220600FD74F0E3A2B55CF24D8E6531BE69D24883C9C7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:34.127{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55264-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000313488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.509{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981424AF3D1D38ABEAF12A3867A0E892,SHA256=8769FE7E2C61C3B4FC31F510629726A3D08D281303DD3265CEAA0D47ABF1EB4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.449{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.447{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.446{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.441{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.437{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.435{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.427{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.424{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.421{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.416{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.410{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.410{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.405{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.382{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.341{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.338{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.335{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.334{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.332{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.332{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.309{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 354300x8000000000000000301780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:34.726{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61483-false10.0.1.12-8000- 10341000x8000000000000000313466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.301{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.271{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.262{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.252{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.241{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.239{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.231{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.228{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.224{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.222{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.214{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.213{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.210{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.207{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.201{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.195{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.190{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.187{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.183{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.167{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.163{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.145{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.131{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.124{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.115{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.107{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.092{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.058{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.051{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.042{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.031{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.016{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.006{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000313433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.002{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000301783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:37.843{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD13C3E2BE024508B8099DEDB7488ED,SHA256=99A0A249BFF61899CD93BE7B6EBB6EE3A4C1351BB206B4DDF9DC63BF2DD1F659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:37.405{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5865C3476828595F2FB4F6DD279D61,SHA256=D44CE79F0DA494D4BEA6290C95BFD1AF81EF89D737D757E0E224BE3D30BED843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:37.561{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2D0EE39AF274049B708286909582039A,SHA256=165B5D81EB1B14ED2497B3713C340B54EB881525F2DE1F6EC8BB62BA3A55477C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:38.960{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC06A61E070DFBF9EF92E47C1EB63D9,SHA256=BD779E647EAE15A1208BA3C85662CEC1017D7E381638DA098ADA2EC7B8938E45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:36.311{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55265-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000313501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.472{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1198BCB3E8A5E747B0A798194894B8EE,SHA256=C02DD5964FDD43C7C418BD6FFEA7085C28A25488C2B656621D226B7B6DB8A1F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.328{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.328{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.328{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.322{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000313496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.322{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000313495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.320{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000313494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000313493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000313492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000313491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.315{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000301785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:39.978{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548A644776C5113B0CF3C280CCA9E163,SHA256=5F6E9A516646911713F0F1C43E6EF3214021C563D79E57ED0D2E8F3E63C91CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:39.573{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A36FF387C8C875C2A1D9723A6C0ED3,SHA256=1B4DD3D036141D942134E6484586D2925B66664181C2F0737BE25B2338A7914B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:40.690{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED94AF3EC1DD9BB9BCC404CBE781056C,SHA256=1E3E2ED892B734E664C66628EF1140190122FE32CBE78265EA723F23C5D9CB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:41.827{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B43E076467F4C567529D0CE57B14CA,SHA256=031689405A302BEC25945827AD1CADB1C3383195246769EDFDCC58DAC3463A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:41.456{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=41989339FAAE5F1B70D4A866219E95A0,SHA256=7D771E94921059996198C68847D7BC566DD3119196E3E0DDD8414FA58EAAA7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:41.093{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820F2947C4A3EC25BEC6691B13EABAFC,SHA256=D27DE14710DF65527D6714B9164A364F8C449261DE41A4637A01CC9222583F26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.958{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55267-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000313505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:38.594{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55266-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000313510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:42.928{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0EFDE54E055AC9EB9A627C3147D107,SHA256=1FF47CA83F75E693DCD78FF73755E5F1F21EC7C93F7C9ECF66F8003D4F96057A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:40.626{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61484-false10.0.1.12-8000- 23542300x8000000000000000301788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:42.224{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7168EE4B0C97C5972A56B4AAE02008,SHA256=EF0CEA0F835C02FF9F42BE9109239593D7F4A4F1074C3F81DECE6533E5193648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:42.791{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6C307B72F365578B4E89FC585FB2565C,SHA256=2C831B32895273BB3B30584BE9A680C7F76A281FD160F60CBFAC458D8B22F407,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:40.781{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55268-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000301790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:43.340{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78ABDCE0A62AA34C61344ECF96A074FF,SHA256=0CB1A73943880F97FC6DD8521611EBA56F08F98229FDEC72B66DA676021803A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.635{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.628{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.624{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.622{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.620{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.599{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.594{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.583{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.578{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.570{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.563{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.555{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.541{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.534{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.526{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.519{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.478{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.473{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000301791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:44.439{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0934C22D6E250C43DE86FCA5F8E7CC99,SHA256=E17445F4F0E3D93CF8D79BE928BF1A9ECB590E65F95CA8C42C8D1D97AFD51ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:44.159{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:44.043{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFDD29B732D497C1B16C10103A9D92E,SHA256=348F5456356DAABD8EE52D7D7E4BB3480F1E156FF7248DA04709827430463A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:45.477{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A507C64ED229B96B0DE585E90F8AF7F7,SHA256=65383173DF1E5205D5F70DCD6C157E6C56C2FFF9FB10CE437A96D3E48BED74F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:43.929{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55270-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000313517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:43.050{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55269-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000313516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:45.127{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31930A5D06BE97745FF28F949DA3CBA5,SHA256=3781FF2A5EE7DB5FBE1136AE61B1BBF9813672B18A0E1AC8B05DBAE37ADC2A77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:45.058{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:45.058{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:45.058{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:45.060{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:45.058{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:45.054{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:45.050{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:45.048{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000301816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:46.580{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40DE2014085A6D4A289EAC5252187A1,SHA256=A95581096954D5EDBF95501A843A734202AAA3888C2D894682F86537B82E7B90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:44.944{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55271-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000313519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:46.158{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9974B613F176696B41506099D74D9AA,SHA256=B50B30DEC7508798838F8403A3FC860D5391CF8D84C11FD2F564E00201A7CE90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:45.334{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55272-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000313521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:47.259{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB439C9B3FFC8638F30F7DA37028A0C3,SHA256=1CC622D03EF3A4471CB647C3679394C0D6DAB563E7E19500286B11510BAA578E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.772{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.769{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.767{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.763{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.757{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.753{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.751{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.741{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.712{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.704{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.692{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000301834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.683{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0A7EEDB7DE5F40B47F37C84CEECFD0,SHA256=66BC049ACABA3FDB6C69DD74853A50411313C01354A3E765703ABDF047050D32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.668{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.661{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.648{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 354300x8000000000000000301830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:45.644{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61485-false10.0.1.12-8000- 10341000x8000000000000000301829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.643{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.641{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.638{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.635{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.633{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.630{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.627{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.626{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.118{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.117{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.104{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.102{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:47.094{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000313523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:48.394{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCDC2D7161E0E01E10B98C5FE4E6CAE,SHA256=6EE8BD2FA7BA0E54911883748BAED5256BE6F0131AABEB6900D8C4C0EE8EA6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:48.662{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476D2112D5EF136C5423482A5561B9C1,SHA256=0CBA378B2C9F6B82275856E66383C91A82630F6A81D10C961B7F7137EE7F87BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:47.534{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55273-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000313524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:49.409{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1020578B9CFF88A2AC0CD3ABD7F3EAA,SHA256=D0721E6D0BEBE642A0E8719592EC3B2633A98C65185CA3C197CACACA06129A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:49.760{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE3E133809119352BBD82C1EB3BE382,SHA256=C939929BA123E4FB212D844822164D052C5A1C2C6339E92D3C0D710B0AB30CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:50.544{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2642249ECD2CC7F84AA6F8E848955FB8,SHA256=2BD03F85B03779D4DBDA40C11C818D1C9C30059033AB38934F23E5AD7122B0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:50.796{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BE25FB129CBC41204D6E4589F08E57,SHA256=1C965F64DDDBA11A409839F28D622D57187CEF33C4382B534BD9223102F8AFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:51.911{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D343E16A89A9264634AB3BF29BADC2E,SHA256=70BFBED5C865BFDDCB53C60CB6B80FDC62A40B9AEB43869ED9CDB0C77BF6EE22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:49.813{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55274-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000313527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:51.646{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E9C1E2599F2F1629116DD8AC4C0E06,SHA256=49487E48579B4C0BDC7239B588A8C21195411CC2662D31575DDC2BBA8D7FB2A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:50.930{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000313529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:52.661{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117DF53D84E0CAFF47AD59DC9AE3B9E7,SHA256=DD07FBFDDDDA07EB27A8AB291B4644FD251CD03662FA86F8E21C22CDB92F1879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.845{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC01D81B5C5296DF341D0DB2DC4B88E4,SHA256=E30C5EABA196DBB3B8D73741CA6006996EA581E3CC1F987DA50DBDA2373C811B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:51.608{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61486-false10.0.1.12-8000- 23542300x8000000000000000301850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:53.025{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EF8B21A313E2A708ACAC644A09EE53,SHA256=46B8B70664AA4ECB4A7EA6BA87A3EA9692C8AC0D0077970D2F4F5BCADD7E882D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.564{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=24B5CB3E2287BC9D2020846FBDAE2D82,SHA256=B6CF3442EC49B81BD820C6B5D9E0CFC72B059A0C2E02DC84E7710F9F7521B43B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.310{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000313580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.308{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.308{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000313578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.114{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.114{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.114{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.114{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.114{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.114{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.114{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.114{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.114{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.113{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.112{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.112{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.112{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.111{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.110{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.110{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.109{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.109{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000313560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.109{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.108{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000313545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000313542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000313537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.092{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:53.093{F6DB49F2-F879-6305-D105-000000007602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000313585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:54.912{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D25ED889E80F2BE121777C1EE255A1,SHA256=64B39F45594D661A1E79782ECB2904F1107FB3216E6C91E34BA77AADD943D26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:54.140{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F708883BB39D4CCA3AA16E42D9323C1A,SHA256=1B74D6C910AC5CC5E9742E640F8FB992E7C5BEA6C6A770902259849BBA587000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:54.145{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72C067B8DEEB836859CB40A12E0452C5,SHA256=1DF5A456B4BCAFDB4D21363792F32F7B9AB28D255CF1012952798F8280C263C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.985{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.977{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.975{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000313692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.970{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68CF7CC6090B7B2F820363B7AC87FC8,SHA256=FD0A5A69984929E73D13BD907E5453CC31359C2D8290AEE7669006C5B5EC2D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.929{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3EE5224D172CE01075A34F7829B986,SHA256=64FF11F77F46140611082DEC00CECC20A9A78C800D022F03EC8705DA379682A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:55.242{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8C2FBEAACEA01D95F83AFAFFAB891D,SHA256=21662C54DFA826403CFB7D01F6A3E142F6337EB5FB1CDFBDE3CCF39A3F7C21D0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.791{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.791{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 354300x8000000000000000313688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:54.183{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55277-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000313687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000313680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.776{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000313659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000313658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000313656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000313654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000313653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000313652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000313649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000313644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.760{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.761{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000313637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.491{F6DB49F2-F87B-6305-D205-000000007602}23366128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.491{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.491{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000313634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.291{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.291{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.291{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000313625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.276{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000313610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000313598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000313593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.260{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.261{F6DB49F2-F87B-6305-D205-000000007602}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000313586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:51.999{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55276-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000301857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:56.941{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:56.941{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:56.941{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000301854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:56.280{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114474FB5B20195FEEC935ACCEC7B9B0,SHA256=FE343C6116FBA085615149B65BF2276D99F6DC837B4019135FDD19B39FA60595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.509{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B80B7EBC11363D23B6E8D5CBEDD3E59,SHA256=6130241C49B359AB981A3770D6F47C5DA68AA3E6D218FF4AB0A49AB76E9F3972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.292{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.291{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.290{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.286{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.283{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.281{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.278{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.276{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.273{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.270{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.267{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.264{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.262{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.254{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.239{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.237{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.236{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.235{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.234{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.234{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.220{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.210{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.187{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.181{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.171{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.165{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.163{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.160{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.158{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.156{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.155{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.152{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.151{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.149{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.146{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.143{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.140{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.135{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.132{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.127{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.121{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.106{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.096{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.091{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.083{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.076{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.066{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000313703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.049{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000313702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.047{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.046{F6DB49F2-F87B-6305-D305-000000007602}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000313700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.034{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.026{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000313698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.014{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000313697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.006{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=05D9EEE12BA403CD47203CB814DB1844,SHA256=EF9F7D0B6EFEDDFDF642245F70B9714BF54271C3ED5C00FD391053C47142A535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.002{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000301858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:57.397{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C8DC83BFC54BC8B265D0C952B7AC10,SHA256=3DF902E95F0A7F360221B785B5D338CE1863C27F82313A816EC16DC8E3489A55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:56.383{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55279-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000313811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:55.966{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000313810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.660{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000313809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.660{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.660{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000313807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.572{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.572{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.572{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.571{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.571{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000313802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.571{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000313801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.460{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.460{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.460{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.460{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.460{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.460{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.460{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000313786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000313769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000313765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000313760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.445{F6DB49F2-F87D-6305-D405-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000313753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:57.045{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6B03ADA122CC36C00F01BA8C158FF3,SHA256=E81697CF7670C8325CFFC8B3C3728DC72AD470E6ED4B28BCCD48143B5208FFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:58.531{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7249E20D6EB2B04D2F5683D361DA848,SHA256=EF5F5997C53586E66829371C777FE9A8C45A3676FBF78747E8B97D8260564BDE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.891{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000313915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.891{F6DB49F2-F87E-6305-D605-000000007602}55684476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.891{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.891{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000313912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.775{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BB3001718CD3C9C242AF437771F1BD,SHA256=0CA31FE896E62E24C2956BFAAD08227BE8FF5394EBBF5F80703E21D45C4DAED3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.686{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.686{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.686{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.686{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000313891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000313876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.671{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.669{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000313871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.668{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.668{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.664{F6DB49F2-F87E-6305-D605-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000313864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.663{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E730A0024A8FBF4BF860AC782E632E,SHA256=AFD66F111C701123A639C11D2B543FBC872CF088E3082B6799560822350546CD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.344{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000313862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.344{F6DB49F2-F87E-6305-D505-000000007602}1725676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.344{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.344{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000313859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.144{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.144{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.144{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.144{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.144{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.144{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.144{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.144{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000313838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000313824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000313819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.128{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.129{F6DB49F2-F87E-6305-D505-000000007602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:59.639{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F245CED1ED6F250422E2FA1B17483A0A,SHA256=273E47695C102306919CCC3206429747E2D817CD8DD0DFA2A9995E08606A7B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.705{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-167MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.695{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4DC6D6357E6FD936F731A88EB52A7EB,SHA256=5A893821156AF3DC275EF0FE3B2DEE250FF86CC46263CE90B606CEDBF0445D9C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.529{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000313968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.529{F6DB49F2-F87F-6305-D705-000000007602}51764808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.512{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000313966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.512{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000313965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.408{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AB12E8376B6FCB84E265A338DEDBBF,SHA256=6C4EFD5122ED367DE6A679E51FCE52AB29421B2770FED9D32D0D6CE8B83B6A78,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000313964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.359{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000313963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.359{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000313962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.359{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000313961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.359{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000313960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.359{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000313959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.359{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000313958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.359{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000313957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.359{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000313956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000313955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000313954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000313953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000313952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000313951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000313950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000313949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000313947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000313946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000313945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000313944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000313943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000313942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000313941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000313940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000313939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000313938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000313937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000313936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000313935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000313934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000313933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000313932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000313931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000313930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000313929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000313928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000313927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000313926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000313925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000313924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000313923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000313918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000313917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:59.344{F6DB49F2-F87F-6305-D705-000000007602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:00.676{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACA8D3A89FA304414051F80F53BFCDE,SHA256=4D35B77F74426CE7381F6B63A0344F3AF1F380FF5BB5B7C8C47C0434181E4B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:07:58.582{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55280-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000313973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:00.859{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0A4BCFF6E9D6FC1B41B824CEB853A1,SHA256=235B97D309589A95C15F7FEA53C41A6951C253A58B99E318C4E0DB9511416C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:00.710{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-168MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:07:57.575{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61487-false10.0.1.12-8000- 23542300x8000000000000000301863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:01.691{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7717900C5CB4528714E446580ECC89B5,SHA256=615FB1AFCBA89F06630096434C9A8CF0A3906154179A0ACFF70E1BB3F1A3E771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:01.844{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DEC1BCAC2E0E2687B6B545CD40B139,SHA256=F24E40467A253F15DB3C94EFBCB5015D17011F8C74FA0F5F3FFA6AFB2EAD1DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:02.822{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3BD18ECBE4F3B7D5934D1E42F678E5,SHA256=6257936FB09F084586B13742E4FA7B10021CCB635E81FB45684BA48AFDFF6A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:02.975{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8908BD37FD9EC02B73DD108C7895DD,SHA256=0763DAE49A381FEE0BB0D37C80A6F55CC222BDC2096B2C198C93ED1E92AAF84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:03.937{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B8314EDA274F1EF782E69311E82AFE,SHA256=AAB63E60760470D19B7689E175840435110BDE3307AB48F18855EE95CB8B0367,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:01.032{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55282-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000313977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:00.781{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55281-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000301884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.986{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BC737CFC1385FD46D148839C751EFB,SHA256=AB174C35ADC71CB9053EDA6F974F2751B1C2CC5251E526EA92552A59677BA842,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.728{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.722{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.719{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.717{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.713{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.689{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.681{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.667{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.660{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.632{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.620{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.612{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.596{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.587{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.579{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.568{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.498{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:04.493{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000313979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:04.061{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE43603A4BC51FA9ED9EDC049377E971,SHA256=EFD66690DC67A9A6BAFFF253E469526A818541C7EB930D886D840AD895C55271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:05.192{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2669B4AA95FDAB7E7E9ED8899F9B857,SHA256=F14D6F5A5173580803A0D9EA84933BED959A273857E95894C83323180487DE53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:02.604{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61488-false10.0.1.12-8000- 10341000x8000000000000000301889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:05.126{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:05.124{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:05.121{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:05.118{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:05.116{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000313982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:06.279{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BFA33A3822A11591B06B3F12E06E7E,SHA256=C61678BB726CC240169363B3AA515C058010BF69722ABA3C37D845D4AB572D78,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.842{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000301997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.842{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.842{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000301995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.696{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4A496967D0A104B5E5AD3A3ED68E213B,SHA256=97B0A135AF4DE0AEB4BF827D01CC2AC7C383E8E56012FA958C43519E7DD5C44C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.687{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.686{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.686{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.685{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.683{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.683{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.682{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.682{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.674{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000301985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.674{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.673{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.673{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.673{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.672{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.672{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.672{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.672{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.672{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.672{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000301975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.672{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.671{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000301973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.671{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.671{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.671{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.671{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000301969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.671{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.671{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.671{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.670{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000301965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.670{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000301964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.670{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000301963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.670{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000301962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.670{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000301961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.670{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000301960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.670{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000301959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.670{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000301958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.669{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000301957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.669{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000301956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.669{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000301955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.668{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000301954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.668{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.667{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000301952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.666{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000301951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.665{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.665{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000301949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.664{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.664{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.664{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.664{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.664{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.663{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000301943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.659{D25361F1-F886-6305-7905-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000301942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.177{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000301941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.177{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000301940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.177{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000301939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.078{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FF40B61725666D1E544739B73E79AC,SHA256=9DA6500C8B4CB202DF2D7B894A7E41BB2517354DA2C57B8B3CF7792D58DA4E3E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000301938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.041{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000301937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.041{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000301936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.041{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000301935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.041{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000301934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.041{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000301933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.041{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000301932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.041{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000301931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.041{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000301930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000301929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000301928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000301927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000301926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000301925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000301924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000301923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000301921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000301920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000301919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000301918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000301917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000301916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000301915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000301914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000301913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000301912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000301911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000301910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000301909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000301908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000301907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000301906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000301905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000301904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000301903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000301902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000301901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000301900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000301899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000301898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000301897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.025{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000301891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:06.026{D25361F1-F886-6305-7805-000000007502}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000313981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:03.066{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55283-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000302133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.978{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000302132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.978{D25361F1-F887-6305-7B05-000000007502}58845012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.978{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.978{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000302129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.873{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45490578512AF49D35EA0E1FC78AC6A7,SHA256=8A03E18F66377AD5ECFF80A234D6A719223F07718B91BD29A4C3DD65FF3CE95E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.826{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.825{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.823{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.822{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.821{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.820{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.820{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.819{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x8000000000000000302120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.815{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=305E976D894A27E12FA9BC3E21245694,SHA256=654822220AD58DD53C9EF0BBDA0BD5462FD9BD62E167ABF94C95AE0B23C64BC5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.812{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.812{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.812{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.812{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.811{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.811{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.810{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.810{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.810{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.810{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000302109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.810{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.810{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.810{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.809{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.809{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.809{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.809{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.809{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.809{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.809{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.809{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.808{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.808{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.808{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.808{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.808{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.808{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000302092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.807{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.806{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.806{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.806{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.805{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000302087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.805{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.805{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.805{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000313983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:07.329{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B343756F5611ACA07BB6CCA9095C1A6,SHA256=2E80E4F474BAD1BCA782A53164C61BD7ECB09278F307E6E751C8F03CAA1BC464,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.804{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.804{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.801{D25361F1-F887-6305-7B05-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.799{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DB2185539938EDD63F96905FA964E4,SHA256=05A30C7171D19A5C5729A320E0A6E75A806FFC5EAEED54645298D8C896AC1F5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.795{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.792{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.790{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.787{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.785{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.782{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.780{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.773{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.750{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.743{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.731{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.716{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.710{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.703{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.698{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.697{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.694{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.692{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.686{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.685{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.683{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.682{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.358{D25361F1-F887-6305-7A05-000000007502}20364796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.358{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.357{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000302054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.209{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.209{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.209{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 23542300x8000000000000000302051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.209{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1C9CADC50ED1E5B4AD06DEADDB3D9D,SHA256=D888FA584C56B88E5686338DC34C36FD7C29384CAD7301AD97C369EA7D7311F9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.209{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000302044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000302029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.193{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.192{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.192{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x8000000000000000302017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.192{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACF84DBCB1D01D838DD71D1C3DC0B3A,SHA256=8BABC11D2C5909B00D2171A6BB2D67DEE4077C931D7D03D6DA23813AA1FB4BE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.191{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.191{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.190{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.190{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.189{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000302011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.189{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.189{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.188{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.188{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.188{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.188{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.183{D25361F1-F887-6305-7A05-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.182{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4547459230603809D69CFEF2119E289C,SHA256=8549D91540A604FECC2261BE2F371DB89009949743ADD106CB168F5C17C49A30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.180{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.178{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.164{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000302000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.162{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000301999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:07.156{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000313985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:08.410{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B299EA310C0FCABA70BB4531E4967AC,SHA256=EE68F537FB6D376F77B67DC6BCB3E1E17324CD62D629AAF2701C96665AA016F8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.610{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000302185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.610{D25361F1-F888-6305-7C05-000000007502}66602876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.594{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.594{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000302182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.441{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000302165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000302148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000302146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000302141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.425{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.427{D25361F1-F888-6305-7C05-000000007502}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.310{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9B2964616FAE7EA210D5810A17EC6E,SHA256=4BEBA2E605A5D18ABF7E618AB11BDD008CF8E0AC78A8A8504145BF7011933E19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:05.353{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55284-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000313987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:09.559{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B8CC6AAF606506A90A664221E35E0C,SHA256=23528329048DDA3CCB8773886BEF61A72D41398BC4938041C155A19824246F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.541{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A1FF17315CC27CCEFB206C74094678,SHA256=F25BDF3DF138C71CD32C76451FBE90C9A89245A1DB45E542FFBBC99E3530B73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.525{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B73347980669E6F51CD86C24F1990F2,SHA256=0B4BA975DDA596033AB0985ED5B3962F049BE4B6D2100B5C6A1693816220EE9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:06.881{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55285-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000302237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.310{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000302236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.310{D25361F1-F889-6305-7D05-000000007502}24601276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.310{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.310{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000302233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.125{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.125{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.125{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.125{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.125{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.125{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.125{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.125{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000302216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000302198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000302193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.110{D25361F1-F889-6305-7D05-000000007502}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000313989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:10.690{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADB00082DBAA26A4BD6E933CA71B01E,SHA256=0AD0E082CF82C3F426B8DA9003237833FAAFE911DEE0D8E6DE72E262950CA4B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:10.640{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421AFFA8F143D909EDAED64D519C90A3,SHA256=CBC501F699116C825C32210552EB20D6BB2D81FC374BBE96A9211DA4822F7CE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:07.637{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55286-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000302240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:08.592{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61489-false10.0.1.12-8000- 23542300x8000000000000000313990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:11.790{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FF4FD9E00B050B93B4881310DD6787,SHA256=859AE8E0033AF086A3D99AEAF7146F77C22145E8FAB1D4960DD430649362B4FF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.967{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000302301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.964{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.963{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000302299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.959{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A98AB4F677DA7B8442C814226C36959,SHA256=D530996D2096E3E8A0C0593925671CC4F8791E12F4C4D86D7807F928906C2F84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.783{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.783{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.782{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.781{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.775{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.775{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000302292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.640{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.640{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.640{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.640{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.640{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.640{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000302278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.624{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000302260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000302256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000302251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.608{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.609{D25361F1-F88B-6305-7E05-000000007502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000302244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.123{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61490-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000302243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:09.123{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61490-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000302242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:11.343{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-167MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000313992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:12.907{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5418A60720ACAC7F593EFCEB34B17BCD,SHA256=138CEC4B4897CA3844DE8B5F554005D3D453E00DDA18A1C1F1690A5E0F0CA172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:12.925{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18DDDFC6FF97E9FE1A73009DFC4810D,SHA256=24441E2745C3512D9F079A63879759F26AE02215DB6A281603CF2E153BEC7261,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:09.821{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55287-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000302304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:12.727{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0096F1C6E452DB21E7ABE739FFFB9687,SHA256=C94895101D612B6F7A097174C8C14F5244A10AA368CCF20755D68CFBFDB320C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:12.343{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-168MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:13.943{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BECF9750FFBAF0BB3280C54B2BDABD,SHA256=7ED18E3429EAFA6C8DF738746D17DE472B85A4179F9DF25A23414827879B701F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000313995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:12.112{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55289-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000313994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:11.960{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55288-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000313993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:14.043{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479A812717615D954B9400339BD73240,SHA256=EC06FE27EF6C3CB41F300F860E0E768C6510633628CE875D9D500C1EA45E7899,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000313999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:15.986{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:15.972{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000313997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:15.969{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000313996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:15.073{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DE44207B39DF60074CF73F9C46C1D2,SHA256=74C3F4BC90A29869BB49B34699B2EB529B1CF52D1E58D0D21A57299AC61B1B5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:13.623{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61491-false10.0.1.12-8000- 23542300x8000000000000000302307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:15.057{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2435FBEEF2E72EEAC0BC1297DB3C4C1,SHA256=7009A361BDF3A2E54E8914723500FE71FB842AD36E673DC20446517490C67AAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:14.311{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55290-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000314052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.330{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.329{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.328{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.324{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.321{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.319{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.316{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.314{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.312{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.309{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.306{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.303{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.301{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.292{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.269{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.267{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.265{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.265{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.264{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.264{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.252{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.240{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.218{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.212{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.204{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.197{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.195{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.192{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.190{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.188{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.187{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.184{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.183{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.181{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.180{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.177{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.174{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.167{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000314014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.165{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC99D2575D19E2EE9DE1F2EE06A60F9,SHA256=FAC16F528432415A8EC72E7A0153427E1C0496824E5E03FC605E47551EB9C691,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.164{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.158{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.149{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.147{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.129{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.118{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.102{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.093{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.084{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000302309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:16.176{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489517AAA7997D5F93E955A9C4C26F80,SHA256=BA7F948EB50D903C900951D9CCE0EB18A1C3C2D38DEA1AC01250625C18C560BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.064{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.025{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.021{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.012{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000314000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:15.999{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000314054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:17.576{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EFCAA33A5F4F6E782AA952011A4FD3,SHA256=97452BBC15077025A0DEE28A23CE70DFC1DB68004000CE7DE3335BFAC7061403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:17.294{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C53A0001F4E97886AA7EA35B10D2074,SHA256=5E68FAC14FE6C45EDD039B013B1D709608CD19115F7D4C2A3111588CC6BFD152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:18.709{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941A91E7AD059BB803CA886787E0E8F7,SHA256=3EFC9AF9E6AEBD0EEDBD117BC1357C6331661C3A1FBDC46C729A8A6748A36B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:18.440{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87880AFD4E875F6AAD7638F5BEB8441C,SHA256=7FB3B843C6632055227BCD8D2B92E32B86AA88536D4E156CC6D290E5C071C305,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:16.595{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55291-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000314058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:19.828{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F6E9090B324BE81830312D0F93CE23,SHA256=45633A193B784A8EF8A955159679139760726B665AEE36E7FD1A67CAB1EBED9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:19.555{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F422C56ECEB5A13573E0F4C69B39357,SHA256=A64FC9DF5093246EE4DB0248E7F8B43C232D67B1F314E7C4AF0D2A1882A1AFFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:17.860{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55292-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000314059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:20.944{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278CB4407226D80614C9DE0D7EC93B26,SHA256=F105C064A4B976CE97FCF68AFE857E86778B1C91C232741E84C60F7869DF646E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:20.671{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B2DCE0599FCE8C60F2857B56488D0D,SHA256=58B3D05FDD412F31964248A6A47C440FB4ADEE579CCBB3CCD3B030313FCC5DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:20.591{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:21.706{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD222F535884A9478DFBF18FB29325C,SHA256=29507EAECCFCE1169EF5CE48BED9BE5BD132D73230BCA49BD3530E1FA8498691,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:18.866{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55293-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000302315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:19.536{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61492-false10.0.1.12-8000- 23542300x8000000000000000302318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:22.837{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00443A55DFCA329B5A9FB47240C182B,SHA256=05C4768F56BF1D6F2DEC6CDAB0D86EA7DF3B69AB600869B8CF9096A22EB509B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:20.036{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61493-false10.0.1.12-8089- 23542300x8000000000000000314061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:22.076{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D37D9E7A095C1826B663322E4C7E02,SHA256=BD96417D9177C97B98A4CB90984F59C0A424875D5D7C00953AD2D6C81D357F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:23.870{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F080340BD1863F057315A073EE4FC19,SHA256=8FFC62C2FD334C84C2508014395A8A81B091A9C0C768F2A1F854521CE30E2CDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:21.136{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55294-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000314062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:23.208{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04645E67A7D887B98F0082F5811A318E,SHA256=98B0A8977BE599D7FEAEB2C4CB3384B9A89B92A02006A8F2AFF89F0ED805A1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.945{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D04FC04F55D9681F27DDFEB3BE70D81,SHA256=AC1D0BB248369A93279E0C8046EBA70628E70EA3C02708453ED8E172558F9B1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:22.913{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55295-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000314064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:24.313{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2BA26EC81D37F3E948815E0C581B365,SHA256=02C45BAD5598E51359DB45E0CB1943B3E2EF4435EBCAF27F134431EBB506659A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.741{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.724{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.721{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.717{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.711{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.673{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.665{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.651{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.644{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.635{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.627{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.614{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.604{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.597{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.584{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.571{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.500{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.497{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000302344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:25.977{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270A891F626AA800F506D1BC4DBD7E7B,SHA256=A56DD7ECC7382B486BB1C70DA95AF993EE14F0C013A4AE3BA51C9BCB0692098F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:25.459{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9876E4442251B68226C1A428ACC34B37,SHA256=2702ECCA8F310FC0A55FF335EB91767FA8BA151BA913F1E245AB57B94864C9CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:23.435{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55296-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000302343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:25.253{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:25.251{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:25.248{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:25.244{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:25.242{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000314066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:25.209{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=59DE22FAB5D3B5D500F1A80F295BFE34,SHA256=9DCD6385348C0DD2C9394873F0AFEDCD179BCACDED7EDA138052F5A3F0E4899B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:26.475{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635F3B87AF633371CC3DFF467C3D2DCD,SHA256=CC33AAE0E51F3488783BDB25D8A4616BF04B27EC869751F3EAF795CA6662064A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.974{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=31FF1C2C09BCEE7FBE38BA6C9B23B119,SHA256=4AEA98A5C17022DF8AE11D628AF07FB9DFF1341CDC58263EEFEA5D594BD6668D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.905{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.781{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000302351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.781{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000302350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.779{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000302349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.778{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000302348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000302347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.776{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000302346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.768{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000302345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.604{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local60607- 354300x8000000000000000314071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:25.634{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55297-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000314070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:27.491{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC945ABD3531C4165EA79C7945EDC9D,SHA256=7217E54822CDD9CB01D16EC05096D4CAC498B66731DD72ADA616129C4B9C7E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.908{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.906{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.903{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.901{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.898{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.896{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.894{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.887{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 354300x8000000000000000302419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.639{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61495-false10.0.1.12-8000- 354300x8000000000000000302418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.625{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61494-false172.217.0.170mia09s16-in-f10.1e100.net443https 354300x8000000000000000302417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.607{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local59098- 354300x8000000000000000302416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:24.606{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local55998- 10341000x8000000000000000302415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.870{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.863{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.853{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.836{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.830{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.823{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.818{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.816{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.814{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.811{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.809{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.808{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.807{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.806{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000302401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.789{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.290{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.289{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000302398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.283{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=D59823B6D77DC30D2D72DAA65522065F,SHA256=2387124A8117212B0A6D4DCFE29D9A58626E622E0E5EF004BC79C34EDE38B782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.282{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=6E1607E86A97911935361CB06FB57360,SHA256=5933F816C9B34DC69AE1F460CEDD68E318D1F941755868C1D8F29F7E3C5E5DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.281{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=9D054F70857C237646C19BE6AD76972A,SHA256=0EC5701638530B412CFE55E6D9DBA2B95406B436BA34EF4B6D5FDDC950CC7FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.280{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=23FA5B45C3FDCAFEB9C5F69B313E02CD,SHA256=16070A6033AF47D6A46E5990C711ACCD6710ED6BCA7D1BBA6BDDF4E01FEBDBD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.279{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000302393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.279{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=B821D22BFE792BD5035E0557F3E1DD1F,SHA256=A8B039200DED86EEC093844B8146658FF60BE6771B9961151A479D791670296F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.278{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000302391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.278{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=EEAB0C797BDEDA31101740C91B10B5CD,SHA256=C948DB5E9CB77E47D4AC0AF656EFF8833400AD9C5C0C0B08434456A6C9603639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.277{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=760042E7F644A9A129809EFAE2060930,SHA256=121EC54989FC1D18AC286D681A3E8BC7FE233DAB25B7964E5DB45DB995963776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.276{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=DA5606E659476878ED6A0CE7BC5C1E09,SHA256=7A0CA5892CFE0A0A959BBF1281C32EFC679312EFEF1960AA8F17C94C1503195D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.275{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=05D14AB4EA3E0B7E122DA4E242658D52,SHA256=E463EEB72D4ECC0F09DA92A8D9EFF1589B1FCEB36F7AD9DA5E99FA68B6A246C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.273{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000302386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.258{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=4D4F53FC0DE8838F3201C7CCC5442CB5,SHA256=70C73C0378E63C695BC0E457CF7F9FA8D54DED2778A0D3C669C86E8B0C2C1484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.258{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.258{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.258{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=D35240D5AA5DAD3209801B1217F88E48,SHA256=C490BAB02846D2692C86C6A07EAA8D482C49502891E03C4CCEFF47EDA4408863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.258{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=C2D713D807CE0DAE2E427DA59504C92A,SHA256=6E41225E07D8743C45F5FAAE4EA8054C28CFED89728DA1436E9A582FACE3091F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.258{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=B7EA3A31B7D49E77D2C3B3461D3B5851,SHA256=0459A6B81C5126FA9ED016DA2105949643E4E91A87BC106D712151F8052DD788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.158{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=31FF1C2C09BCEE7FBE38BA6C9B23B119,SHA256=4AEA98A5C17022DF8AE11D628AF07FB9DFF1341CDC58263EEFEA5D594BD6668D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.158{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=C21C9F174B1FC135E1935FC21C8A603F,SHA256=2BAFC03EE9D061D9FCEEEE5BE80BAE2CF1B26CDAB2B2A3F1C20CC964612446A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.158{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=E16012C6DCEF7012D6EE97D8F1C0C54C,SHA256=B17335E055F46B81A4ABF626ED029E812A3C7177B03901D79E82F5CB731018AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.158{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.158{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=B88C4680F6E2FAD39032FBF2A91E1320,SHA256=E6E8A2F841B88A9224BC53B6C4952425CB15DF4E48682B132D8CF6192C0D6F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.158{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=AB14CAA263CEC24411C0BCA2DF883EA8,SHA256=87CC5FEFB8DDF35395E2778F2C63A6B661A18C18D12301CC97A0169CA6ED5C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.154{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=4B61079552A7223DA62573CECEDEB989,SHA256=4A53CF538C6F9A29DC865D9079D98ED58C29954DD71D11562DEF131BECC83C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.153{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.136{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=0FF6155B864C146DD706BB3E8E739599,SHA256=14E65C21C10954B62410AEBB134E7DE0559346DB81488F523268C27CF673D494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.136{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=900078C9C0B0A544C1B16628F456D9F9,SHA256=DF67313ACF21BCDF34F9EA304721127A1D98AB9473AF16AF2E3E633DA3473FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.136{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=4ACB7601E037A79BE3524A63BB045139,SHA256=A2653D0EFA91E16819103168632AB17658E7CF7F7549508C06CE96711D3B4665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.136{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=640634C0E739F660298F5F4839C6EE93,SHA256=E2D397AEC3AA0C03EED13A43D240D1ED724A24B3A479830AB925EDA0F0B376F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.136{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=AC3DB405778811C611BCBB41572A6A21,SHA256=C65468C28859D0ED08F4533AA008FBA4B314A5C5636AAE1D8A1A2B3457599AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.120{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=AFAD6A7330CCB02F0262F191C492B004,SHA256=1196111EA901E6B763A786708B84DCBCAF9CBAB25EC12475E66793595918655E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.120{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=D0F0B25897386CDB2B0C85D716E89A12,SHA256=A17A64B9D633E7CECEA1760BB09E70BC89F6091A36AA7D35DFCCFE7A1F1494BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.120{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=70FBB7A20692A281381DADB0252E757C,SHA256=F7757B4602283422AEAC6B3917F0CF60C12A51F10A9B8F2939AD6EC2D5F12F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.120{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=E2EFDABEF4B417ECDA297FECBE6EAB05,SHA256=6D359DE7EF690EABBBBC54148E162ED3E2D217C186C318C3965ACDE85531D07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.120{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=6A0756443D92A9C669AA96A34326FCCA,SHA256=A9B43BCED40B40DA95E90506F1746DE38CC73007A807266822CFB63E0C5F485F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.120{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=88B9BA950DC45A0752A8E8115CCA8261,SHA256=9C83AFBF5C1F7ECBCC8A6379A18900546C01B9F6550BF4EE93453161D926E379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.105{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=4B61079552A7223DA62573CECEDEB989,SHA256=4A53CF538C6F9A29DC865D9079D98ED58C29954DD71D11562DEF131BECC83C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.089{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.021{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9511F07DD3731F10A6C3304295D4C549,SHA256=354FEA183F8125214CD369E969BDEC49C5C1E8FB5CBF65BFC8572D1D94DA6A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.021{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=C2D713D807CE0DAE2E427DA59504C92A,SHA256=6E41225E07D8743C45F5FAAE4EA8054C28CFED89728DA1436E9A582FACE3091F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.005{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:27.005{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=E16012C6DCEF7012D6EE97D8F1C0C54C,SHA256=B17335E055F46B81A4ABF626ED029E812A3C7177B03901D79E82F5CB731018AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:26.989{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:28.591{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8752C01EAA84CBD7BFFFB83E00FDF89,SHA256=BA997BB2431557D1B1B73D13F571AF08588488B02A31E89401249AC965BE1F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:28.136{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C23311871173C969067D29A5B37D06D,SHA256=3719471AC3443194589DDFDAD26A8377BDC3D7BBE6C29083468EAF7B23D2E9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:28.136{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5910827ACED94820655BF969018275,SHA256=5B8F045CAC6AAE2B410B8F4667F90531505305734BBDBE016534305DAFF8ECBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:29.710{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3C09D9F9E9060E06FC1A63DD2F75B8,SHA256=F5C9ABB9762A6CE0A968FAD150D5DC7EDF84C463F1C053233ABC0EDC2F797CB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:27.934{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55298-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000302430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:29.373{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BFE8BFF3210CE57981D5F22333AE546,SHA256=596BA536A4ED309C66689B55D2A18F6EB765D3D0CB47A549422E20A381F36F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:30.711{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FD9F709FAA85A9D7471217F7EB44AD,SHA256=70DCCD9CF35FB4655A26146C2037707FB8413A48ED64D7540448942DB094F56E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:28.878{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55299-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000302431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:30.503{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4046987E5F17BA7DC2C4D282AC685CB0,SHA256=4BE24A6DE8B69D1FF26EB3D45F3D78C08D932F7088B19C26F219B0AB3855ED1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:31.729{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0224FC3FAD08631BEE683ABCB88AFFB3,SHA256=1B6536540687B9C3D4B59CDBDC191BFAACEA4FCA387E1207BDAC43D9CAD8AD46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:30.142{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55300-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000302432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:31.634{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3404C652F04C8969ACF80469CA32E58E,SHA256=C5FC358DB2EC460983CDF5D3EB83766F13DC5DF80046686A6F35B9C06C2C7EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:32.744{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73EFCBA617334FCB531299C4300393D,SHA256=13992D9EE1C14BBDB754F6421177C61E397D14432B3A7A855FDD8786192EB913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:32.770{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FC68AFED7F6BD4CEFBEA463CDF9169,SHA256=6BFBAAE8D61EA97F5127CE3C9E3A4F9A92454DF1A7D8A522A926DF8B2E36296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:33.874{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71F6ABFC8E6F5FAE94EA75FB46EC898,SHA256=D6CB78D444CDE09DC6545CF00A783D1F86E149D4B0619A18CB9B1BB2F16F5956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:33.885{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCA767C3211E9A5E5E4C124E08F67B6,SHA256=D9D192D8718E0E6D2F0E4E9082617B1A97328E79DF42A0996D4CDFF35F326DEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:30.669{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61496-false10.0.1.12-8000- 23542300x8000000000000000302436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:34.950{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80F3CED54D2AB8BA519BC4E92EDCEE1,SHA256=C9B61C1DB5C150D9DC88D954292D6ABE28D85995E9AFDE5A0B3BB4EFCB82FBE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:32.436{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55301-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000314083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:35.998{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000314082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:35.008{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E43BEF47ED15C316A07D96E1CA55503,SHA256=13EA5ADB5C7F840D943233A3D1640E6171B997A4EEEB8CE33B003C7777078554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:36.048{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BFBCD59DFF5EC65455D46C69F54B94,SHA256=C841AC9E01302254F62D0F2CB746EBEDF3C7194D97FA93F4D0D6EBC4B9414550,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:34.812{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55303-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000314140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:34.733{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55302-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000314139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.456{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B506DC1CF0DE56943D2F1369FC3356C0,SHA256=E6AFB174724E39F1F76A070DDF7F4190212B123B3AEB15722232EE7E2B7579D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.331{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.330{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.328{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.319{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.312{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.309{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.304{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.302{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.299{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.295{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.289{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.280{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.261{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.260{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.258{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.258{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.257{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.257{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.241{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.229{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.204{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.193{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.187{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.181{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.180{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.177{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.174{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.172{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.171{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.169{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.168{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.166{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.163{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.161{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.159{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.154{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.151{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.145{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.135{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.133{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.123{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.114{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000314094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.109{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2A9937BC22BD41D5C4CF1EDD4654D8,SHA256=C5D84109EB52D92C7B59B503D12FEE1B26117D1210514F6A39615762737F6F87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.109{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.101{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.095{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.085{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.057{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.052{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.043{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.031{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.015{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000314084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:36.010{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000302438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:37.130{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB0CCC297CD4F971CAC9BEE60208E7B,SHA256=1C234EDE19C0C2567CC0636CA9BBA8208DCC0FD99C7B04DFB96343E5FEAFE077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:37.090{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21656314057F6B29D11255FCBAA3F9C5,SHA256=A57FFE2BAAD64FC2A42298C51CBDD29FAD58F443DBF8B94287268ECB0129EA4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:37.033{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55304-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000314153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.334{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.334{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.334{F6DB49F2-D01C-6305-0B00-000000007602}6241224C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.325{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000314149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.324{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000314148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.322{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000314147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.321{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000314146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.319{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000314145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.318{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000314144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.316{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000314143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:38.207{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D555E9BDDC0CAA3F6787677132AEEA06,SHA256=2DE4EFC7ADE146C429CE03D3948E3600BC677D83C7A0E5B1ECCD950BF37B2B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:38.268{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D55182E6BAFFDC854EC49E055E0A28D,SHA256=19EB130CB0572B1E75C1D98EFD5C8263244E75A9F81FEB194C2AA249E516B161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:38.198{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CA40AADF406A09DAB4732962762B6236,SHA256=263BBFC7E783B645FF9BF4F1FC72234952DB02AAEDFBA82B142D7CABBDF15335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:39.310{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC483612160A2AD18CFCD065F4C78A6,SHA256=81E5E0E091CD510DA0460A09D2FED94DAE391965099674679B5097A46CB439B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:39.283{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5AA9FB16FEADB619D4E79EFF8243F80,SHA256=A328D4F004D503D8141D9DFCB180139317F75866F6878782DF1C6E72F7148828,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:36.712{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61497-false10.0.1.12-8000- 23542300x8000000000000000314156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:40.441{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779AC1A27A5D2EB2359FF4482157A427,SHA256=3D348B2F69C84D08A52D2EE9B7797FB3012A72FF6A3B51127CE7602813F5E940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:40.283{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CC3853D7F4B378498C06D139C6DD05,SHA256=5A37F365757D6A51BCE412C8D04EDA51625D8A737F42C9EC2BF1767D95C505C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:41.543{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99634F2262CDF9C62FEAED9D82A86FE0,SHA256=F5EECF1B9FF3BAE1CE376B51548953A1E354B5839F172AEF8958587FBD59E8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:41.465{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=08E9246DC1C090E785D4BC4FD4CFCCE0,SHA256=80D45789E875BDE74A62E272414F417C9E710E46E7F39B685B21148507EF4D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:41.381{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CA73E557944F16AC40BC58F0C6D002,SHA256=8FFF0C0D4428FE52C505A0A99D14D3ADC474F61751D3F85CECCB25471B0A2326,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:39.233{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55305-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000314170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:42.804{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=642DB5E0DBC528DEFF5E72CA00A1F753,SHA256=DD7E7FA40551CD4710418393ABFD6DFC76D1CDA8E0F1B1547BBB3A8F8942BBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:42.655{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD1183F4834ED74909E2C03E2C4145B,SHA256=4161F6A1064872A9545A428D200C509078119B921F2E341658FBC81CB1783857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:42.497{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D37A6D37D05DDE8E5B4E6E2BB8111E,SHA256=6EC2D136104AB4DE8ACD415B201FC0AA722C0728CCB94AD6D232F60C66BD429C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000314168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000314167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009f1e11) 13241300x8000000000000000314166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b799-0x1af277d0) 13241300x8000000000000000314165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a1-0x7cb6dfd0) 13241300x8000000000000000314164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a9-0xde7b47d0) 13241300x8000000000000000314163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000314162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009f1e11) 13241300x8000000000000000314161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b799-0x1af277d0) 13241300x8000000000000000314160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a1-0x7cb6dfd0) 13241300x8000000000000000314159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:08:42.425{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7a9-0xde7b47d0) 23542300x8000000000000000314172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:43.772{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9159BA2103B8B576FAE6CD4D5102F32A,SHA256=539BAF1E5508D2AC9602CE6F7C4963F7BFEAB0E8997E44767E22FB4C2C0DBE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:43.596{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21127C8344095F70F700C567527EFFF,SHA256=598F7494BEEB2B2F500D39367CF3573CB88E7FED6EFFD5A3C725CEEC0D35F891,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:39.993{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55306-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000314175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:44.842{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38332925C5DA534069F8EBE9E716ECE,SHA256=B28C50D0396D804B00C66929E41D7DE7DC5594FCC0898B1A97CB7DAC9A139ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.684{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D54049EDCD3FF82DBFCCF19EDC5F15,SHA256=D979DFD13180B5B85AC0F9B165FDF0DDA35C4460AE272DF3751FAB0A810D47E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.647{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.639{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.636{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.634{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.632{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.605{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.598{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000314174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:44.188{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:41.547{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55307-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000302459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.588{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.582{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.576{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.568{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.557{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.548{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.541{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.532{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.525{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.480{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:44.477{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 354300x8000000000000000302448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:42.563{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61498-false10.0.1.12-8000- 23542300x8000000000000000314178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:45.943{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23564B615888201A244BB55AB121864D,SHA256=7AF6E362C0EA59874F872F020CE62058BC8C130C75157F17227C1F51FE575C22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:43.957{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55309-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000314176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:43.731{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55308-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000302473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:45.629{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F810E1CB20F54D29EAD6FD16A7B98B,SHA256=BEA3C78C31666EE63E3EF916E5700EF1A571035F749CB6C3C4D9524E36701936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:45.099{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:45.097{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:45.094{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:45.091{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:45.085{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000314179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:46.959{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3D942B2EDC9A80631B2562E571987D,SHA256=343149A8E429516318807D479921C3477542AC107DA625FCF2642EFDDF908860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:46.743{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A983BB755C194BADFF3D1485AFB3403,SHA256=8FC87B3C35BE7C34E5EE2D0E5973C2C4D1BB2EE9D973C0A70C0E59C0533E8140,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:46.012{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55311-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000314180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:45.996{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55310-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000302530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.842{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C34190E9AB4272D83D22625AA7A1A4,SHA256=2E395BF8E681F01B24185D903518B913F0DEDBC511589B5CAF9D0A18A6F7033E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.838{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.834{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.830{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.822{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.809{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.804{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.802{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.789{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.782{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.782{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.782{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.782{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.782{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.782{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.782{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.782{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.781{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.769{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.755{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.739{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.714{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.707{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.689{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.683{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.681{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.678{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.671{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.668{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.667{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.665{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.664{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.149{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.148{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.134{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.132{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000302475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.126{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000314182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:48.059{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E39D3B9D5FA18B11F38DB148655960F,SHA256=46AB51A396587527B9CA6BFB61C06B936150F5F943BE417E1591880B783F61DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:47.593{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61499-false10.0.1.12-8000- 23542300x8000000000000000302531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:49.279{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9ED077ED05EBA2B7051B26D3A36E81,SHA256=FC1569800053654CC7BC42DC1FC7C1E98CF40D57C58176807F88792D14212E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:49.090{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D8CEA20D61B61A5763473617503C08,SHA256=E4152AB09CCB4C0F7281F7F49C598F97C803B039DA4AA2C3FAE965B3D5B4BEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:50.191{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DCD25C79BAFDD2AA4A88A32ABB8903,SHA256=63B2CBBF9517101FB0C53DBBA5E0324320902A6EF4519B5449B40664479F6912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:50.393{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF40C723E7299F682A2D89AC58C0E62,SHA256=0E07F0FCBCD0B4BE855FB4E934F1E3E5ACCB924CFFFB9F3E8A46218EF3BDB515,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:48.195{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55312-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000302534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:51.508{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E617E591D37EE61F230FC74E444D6269,SHA256=E4F3B9746EC9726EF87C0BD1BB81842B6B42503504C9A098461BA067395B0271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:51.329{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39ABB279378D8DB739912C7A9AAA4634,SHA256=CC4E8C394660ABD9E011C0C4ED16D45B4C4DE526BD8E74A02EDC5EF6D1E281B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:52.624{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0F6B0E90F6667B5AC68A442818CF29,SHA256=5F4C3B1FD58BFE087CDF41D819D045520879C40F899691161D3BB7E2E678355F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:52.410{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEA0802B24550321EC4125922E9A970,SHA256=03290B799FDF5F2B5ACA51927B35F321A96BFFB16225E3DE3D70B75EA662ABAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:50.380{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55313-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000302536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:53.725{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB1D22B2BD35DCC780E037812C88665,SHA256=0C7C15238D576278E871963512A4EFB424DFF71D285B953047A35B9E4A0D0F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.964{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=98897B46FB5179BE503A1B1B7E104C64,SHA256=725E20FB931754B314FCC8A02AEF7498C68B316E2499F2E4008A60B251DE3D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.711{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8203B63C989C58A7CF8C02C7A3DD837,SHA256=75CA2078520BC69FA0635392B1466062CA3A7F1D3D487A18CECB8B2DA979E6CB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000314239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.292{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000314238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.292{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000314237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.292{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000314236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.130{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000314235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.130{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000314234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.130{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000314233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.130{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000314232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.130{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000314231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.130{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000314230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.130{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000314229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000314228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000314227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000314226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000314225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000314224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000314223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000314222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000314221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000314219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000314218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000314217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000314216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000314215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000314214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000314213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000314212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000314211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000314210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000314209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000314208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000314207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000314206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000314205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000314204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000314203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000314202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000314201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000314200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000314198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000314197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000314196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000314193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.114{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000314190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.113{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000314189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:53.108{F6DB49F2-F8B5-6305-D805-000000007602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000314244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:54.829{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDFE49500BF9891148D525CF7925DD6,SHA256=87341B5BCDC3B00EB1CB1BCF96F57214498D23D58BD877E3C2646F33C24C0B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:54.813{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BEF8074C0683923A02545AE532AC36,SHA256=C674CFC4A9AE2092D77DAFD3E83B0CA08A1D2F82E43BAB15846EC31D98462FC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:52.644{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61500-false10.0.1.12-8000- 354300x8000000000000000314243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:51.842{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55314-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000314242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:54.192{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78CB35C03C087A4B964E5B193AB216B2,SHA256=EAA96044287235105125F40B02C8EF8DDFE8DCE1FED438955D706BE7CD47C3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:55.793{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78C898BAB645316D6059E459696A212,SHA256=A9BAFF4B0B765E4827C2C697F959403C22B8E4E218FEB621F8BA53E1E4F18BC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.991{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.989{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000314352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.989{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000314351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.988{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000314350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.988{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000314349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.986{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000314348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.986{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000314347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.985{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000314346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.985{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000314345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.984{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000314344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.983{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.975{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.969{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.967{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 10341000x8000000000000000314340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.967{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.967{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000314338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.967{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000314337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.967{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000314336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.966{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000314335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.966{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000314334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.964{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000314333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.964{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000314332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.964{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000314331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.964{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000314330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.964{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000314329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.964{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000314328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.964{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000314327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.963{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000314326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.963{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000314325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.962{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000314324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.962{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000314323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.961{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000314322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.961{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000314321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.960{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000314320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.960{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000314319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.959{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000314318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.959{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000314317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.958{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000314316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.957{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000314315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.957{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.956{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000314313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.955{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.954{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000314311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.954{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000314310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.953{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.953{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000314308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.952{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.952{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.951{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000314305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.951{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.951{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.951{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000314302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.947{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000314301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.644{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D344A28D20C23934945CBAFA7A140030,SHA256=D8ED1C217E343D57F669FF75D59A66F766830D9BBB779E3DC6938205D4E57174,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000314300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.459{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000314299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.444{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000314298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.444{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000314297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000314296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000314295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000314294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000314293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000314292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000314291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000314290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000314289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000314288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.291{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000314287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000314286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000314285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000314284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000314283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000314282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000314281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000314280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000314279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000314278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000314277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000314276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000314275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000314274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000314273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000314271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000314270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000314269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000314268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000314267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000314266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000314265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000314264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000314263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000314262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000314261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000314260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000314259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000314258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000314257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000314255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000314254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000314252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000314247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.275{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000314246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:55.276{F6DB49F2-F8B7-6305-D905-000000007602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000314245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:52.648{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55315-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000314409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.577{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.576{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.575{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.571{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.568{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.566{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.563{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.560{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.557{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000302540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:56.881{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB026926C82DCD18F983D89C5A80B0A,SHA256=2B5E92FC2B4C29BF75EE0E6AF3510E84029BDBA3FE706FD1162A9020A06A4982,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.555{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.552{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.548{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.546{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.538{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.522{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.521{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.519{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.519{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.518{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.517{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.500{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.488{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.465{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.459{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.451{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000314384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.444{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD207345CB9868579F4FA9A4078272E,SHA256=EAAF2AE84F0598D584ECAEBCEAB44E0B6162B9694BC264EE78DFCD8E18EC324C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.442{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000314382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.439{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159794DC2207E6990FA899CA27F29805,SHA256=596C5816ABD61DF350EDDD2E4EB4E91426605C53D87D9530CD301A9C2C380095,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.439{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.437{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.261{F6DB49F2-F8B7-6305-DA05-000000007602}50362452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.261{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000314377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.260{F6DB49F2-F8B7-6305-DA05-000000007602}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000314376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.149{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.137{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.133{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.127{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.124{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.120{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.113{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.110{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.106{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.103{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.096{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.094{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.082{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.075{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.067{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.061{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.054{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.044{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.008{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.001{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.638{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000314461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.638{F6DB49F2-F8B9-6305-DB05-000000007602}19885056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.638{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000314459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.622{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000314458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.491{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000314457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.491{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000314456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.491{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000314455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.491{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000314454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000314453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000314452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000314451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000314450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000314449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000314448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000314447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000314446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000314445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000314444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000314443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000314442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000314441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000314440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000314438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000314437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000314436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000314435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000314434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000314433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000314432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000314431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000314430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000314429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000314428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000314427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000314426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000314425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000314424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000314423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000314422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E401C19CABE2A49855BF5CFB799A43CD,SHA256=495943E119E70805DB2022A4A56B5FD05414722D7BAEAF3ABAA85E155C8FF51F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000314421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000314420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000314419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000314417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.475{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.474{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.474{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000314414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.474{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.474{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.474{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000314411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.470{F6DB49F2-F8B9-6305-DB05-000000007602}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000314410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:54.930{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55316-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000314564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.822{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000314563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.822{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000314562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.822{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000314561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.822{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000314560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.822{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000314559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.822{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000314558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.822{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000314557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.822{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000314556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000314555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000314554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000314553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000314552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000314551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000314550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000314549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000314547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000314546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000314545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000314544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000314543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000314542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000314541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000314540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000314539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000314538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000314537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000314536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000314535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000314534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000314533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000314532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000314531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000314530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000314529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000314527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000314526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000314524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000314519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.807{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000314518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.808{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000314517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.606{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0F743A1DDBFF1F15AC38FB446ADB07,SHA256=A95F86EAD35647B5FFEFC315723BC5F1B1D9D03AC1AE3D8B8474708247FD4A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.590{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEA86FFF51589F053603F47FCC2D5C1,SHA256=CF52AD86985E7C5680F6FAB42DB3A6CBD4D53610EFFB8A9F3E96F0CC82955937,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000314515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.323{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000314514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.323{F6DB49F2-F8BA-6305-DC05-000000007602}52486088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.306{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000314512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.306{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000314511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:56.853{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55317-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000302541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:58.093{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5736E5E86F468FDCD9A2F434F0DE4C,SHA256=64151976B2941F37072AAA6A6FB2DA6A223FFA9B1A8679FCFB176CA47F5361FF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000314510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000314509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000314508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000314507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000314506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000314505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000314504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000314503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000314502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000314501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000314500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000314499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000314498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000314497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000314496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000314495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000314494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.157{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000314492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000314491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000314490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000314489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000314488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000314487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000314486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000314485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000314484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000314483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000314482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000314481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000314480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000314479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000314478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000314477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000314476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000314475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000314474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000314472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000314471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000314469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000314466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.141{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000314463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:58.142{F6DB49F2-F8BA-6305-DC05-000000007602}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000314651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.922{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65410BBFA36ED4BDD1485567CE4C7B28,SHA256=632CC7D7DED7572FCACA406FAEB52BB966E862BCD1AA6EA587577AA18A388DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.791{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2BFFF7BDB6271EE02B0056F936D220,SHA256=3071B6EF8EC15AACACD47F7CDE91812500F6C7CDA19BB173F0815668DF8B8B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.772{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4C9A2F81519EB98D56C30CD5FD1266,SHA256=E5C68B9CDE1C30640049419E4E9904233CB33A18DFAFC8C9FBE3F943B7C63E24,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000314648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.654{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000314647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.654{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000314646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.654{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000314645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.491{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000314644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.491{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000314643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.491{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000314642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.491{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000314641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.491{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000314640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.491{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000314639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.491{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000314638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000314637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000314636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000314635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000314634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000314633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000314632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000314631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000314630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000314629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000314628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000314627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000314626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000314625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000314624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000314623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000314622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000314621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 23542300x8000000000000000302542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:59.326{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856789D47E4328C89C277C9AEB5AB5EA,SHA256=19FFB5258AA194BEB1DFF235BD89DBDC7FA2FB69BC790D00EEC09977DD3F3814,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000314620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000314619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000314618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000314617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000314616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000314615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000314614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000314613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000314612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000314611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000314609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000314607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000314606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000314605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000314604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000314599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.475{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000314598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.473{F6DB49F2-F8BB-6305-DE05-000000007602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000314597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.338{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000314569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:57.139{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55318-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000314568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.007{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000314567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.007{F6DB49F2-F8BA-6305-DD05-000000007602}34123820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000314566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.007{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000314565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.007{F6DB49F2-F8BA-6305-DD05-000000007602}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000314652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:00.507{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48112EBDF06B95C10FB07DEECB093631,SHA256=AAB815AFD884480FE1A57634BF28EBE2D1836B6AC50BA3143D6813B052CCABDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:08:58.644{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61501-false10.0.1.12-8000- 23542300x8000000000000000302543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:00.377{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509CE4548CB81F6E95E954B188B790AD,SHA256=35DB32B94E2B6DA7D6AD54F2CA3C7CA3946BBD49F7F226490097C5F0EA718C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:01.624{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BE5DD2DA77C6A5021B78C4261215DA,SHA256=9A2293D3ED2E6B1CF7716798DF3BC59D89A83C7542B8A2442EAA784DCEF28F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:01.461{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35D0CF8D800E4C10C95AD644CE9C77C,SHA256=C60969D14C4A7C7FF344B210C9049302C08D794A176A19716D6C02AFAE1BD328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:01.241{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-168MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:08:59.441{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55319-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000314657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:02.740{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAB259CB96FFEB0ABCBA73514C6C045,SHA256=0612C9D52FFD5BAFDE74D14681F44F7A63E6DAD349ADC600C8835AE070498561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:02.561{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00897A708CC51EC969ABFCF0A6A5B467,SHA256=2735B47F13FD1532F0895A20929E98BBCDFABFD85A6308E3785941ABD003376A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:02.241{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:03.858{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C8E27F424BBA76B9A19219139FA6F1,SHA256=5ED12A94509D61AB288ADA07E99E66B2F97D4A80B8A60A4097D5FF15B38BDF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:03.692{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9BF593BF8BBF2039E74EA8E41A9D28,SHA256=76FB9F8E04BA60A9CC0EE8C1B34D4E207582BDBD72F565961657FBFF20184C8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:01.627{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55320-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000314661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:04.976{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF116DE2ED1D1D47C6C5E097648125D6,SHA256=368FCF2A40EE930C0CEF392B9E3275BE77B0A76CE485702700095855C4F2EB9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.769{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C135C4400D9BE879D8018F6D45440F1B,SHA256=A060DA9B2E28C66CC00FD755553375023EBD9A713E85D4DD3317D1F83DBC31FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.713{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.702{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.698{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.696{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.693{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 354300x8000000000000000314660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:01.990{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55321-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000302560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.656{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.642{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.624{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.617{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.606{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.595{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.587{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.577{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.569{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.557{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.545{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.479{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.475{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000302572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:05.747{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC232299DA35140238BA2FC5ACDC1867,SHA256=32B934E5812840D4F345A6B1C2E985C6A612CAD57AD8616FEE1EACE6B38C3B6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:05.150{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:05.148{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:05.145{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:05.141{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:05.139{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 734700x8000000000000000302680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.879{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000302679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.879{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.879{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000314663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:03.913{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55322-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000314662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:05.999{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE02B7ADE04351C92C9A26BB8A5BDBE,SHA256=F918AB5F3EB1A70394C701A23339B818CE4BE58645C09CA88C36D510460C7BCF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.696{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.696{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.696{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.696{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.696{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.696{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.696{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.696{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000302654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000302642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000302641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000302636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.680{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.679{D25361F1-F8C2-6305-8005-000000007502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000302629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.196{D25361F1-F8C2-6305-7F05-000000007502}12566344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.196{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.196{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000302626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.057{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.057{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.057{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.057{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.057{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000302621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.057{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000302620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.048{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.046{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.046{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.046{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.044{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.044{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.043{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.043{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.042{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000302611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.030{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.029{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.028{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.028{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.028{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.028{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.028{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.028{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.028{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.027{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.027{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.027{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.025{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.024{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000302596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000302584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000302579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.009{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:06.010{D25361F1-F8C2-6305-7F05-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000314664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:07.076{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3D62B1F71C112B24E8B8E95FDAF311,SHA256=A05285FD3B9F37658DFAFFA33769A5C7A48C1DE7925220B4F44CFBC427D06FAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.875{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.873{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.866{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.861{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.857{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.850{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.846{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.837{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.809{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.793{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.783{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.768{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.763{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.756{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.751{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.749{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000302752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.749{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9538C5A9143919D9A336162FD8615853,SHA256=7BAAD505E3BB96BF09A56CD84336BAD6E37D1FF7B75D4C57500EBA89BA2D4BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.747{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.717{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.714{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.714{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.712{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.711{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 734700x8000000000000000302745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.547{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000302744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.547{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.547{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000302742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.443{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=55FE57AB693AAE0F97C644FE340B1CA6,SHA256=0D102E698ABBA7D8B8EDCBD9AA1F8C096B935D517EA63372CD8A88D5A2040AEC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.379{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.379{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.379{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.363{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.363{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.363{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.363{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.363{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000302732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000302711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000302709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000302708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000302706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000302705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000302704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000302701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000302696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.348{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.347{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.343{D25361F1-F8C3-6305-8105-000000007502}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000302689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.196{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.195{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.186{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.184{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000302685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.179{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 354300x8000000000000000302684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:04.511{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61502-false10.0.1.12-8000- 23542300x8000000000000000302683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.143{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFCE2BEB9F30340AA5146BDBD28E2A5,SHA256=10EC8512B35176CA881FDE395EDA465A002F6570883B903728E1C6628E432C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.140{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=25CE56A1726888BE2DCA4E580EED0961,SHA256=AB967FB41A88E2772203D1AC94A70BFAA9459A0F68A370E69E1B4A60E6ABC3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:07.139{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E664677FBBC2320034E3791C5CD63E7F,SHA256=951EBCFBAD2212BA736B6D978EFFCCC3F144E7C15752F1763E0A44A25FA57CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:08.176{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CF450B615EAF479F325787EA96485A,SHA256=FF8784B8B2239D4BA76410226AFC7004E356E125443CF229960A04C7DEF7D838,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.780{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000302872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.780{D25361F1-F8C4-6305-8305-000000007502}12642984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.764{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.764{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000302869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.627{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6612DDA5211DFAACEA91628905ACDF2C,SHA256=4A1A6EE59F48059B1BAB9F48394CCCB1E19DFB6F2AE2778A81564DC7ED66B9C2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.580{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.580{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.580{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.580{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.580{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.580{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.580{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.580{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000302847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000302833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000302832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000302827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.564{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.565{D25361F1-F8C4-6305-8305-000000007502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000302820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.208{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000302819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.207{D25361F1-F8C4-6305-8205-000000007502}5166368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.204{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.203{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000302816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.049{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.048{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.048{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.047{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.045{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.045{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.045{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.044{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.037{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.037{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.036{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.036{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.036{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.035{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.035{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.035{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.035{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.034{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.034{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000302797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.034{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000302783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000302781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000302776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.024{D25361F1-F8C4-6305-8205-000000007502}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:08.023{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A751C208104F443D469D3A7C12AA04,SHA256=F2A187C370081BCCAE3DAA36A30178174765D664CC29495EC08674685681F37F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:06.098{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55323-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000314666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:09.295{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CC14F95AFA3FF77DD32FEE4CFCD8C0,SHA256=B4B7B12ED705B538FB3B3085BF27F93667B8DD0542980E60413865D7F4FCC176,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.448{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000302924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.447{D25361F1-F8C5-6305-8405-000000007502}48087084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.447{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.446{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000302921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.264{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.264{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.264{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.263{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.261{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.261{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.260{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.260{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.253{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.253{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.253{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.252{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.252{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.252{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.251{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.251{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.251{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000302904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.251{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.251{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.251{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.251{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.251{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.251{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.250{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.250{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.250{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.250{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.250{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.250{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.249{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.249{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.249{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.249{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.249{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.249{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000302886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.248{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.247{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.247{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.246{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.246{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000302881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.246{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.246{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.245{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.245{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.245{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.245{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.240{D25361F1-F8C5-6305-8405-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.238{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65C462193E48DE1ABFB51904EE0B3AF,SHA256=53C94378529750EA64C3A732BE2280EF66CCD5951001F3F8CD7D6B5199B4C673,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:08.398{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55325-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000314669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:07.892{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55324-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000314668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:10.413{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E668B073FAF8E79567B67DC460D32689,SHA256=F219F5ED2C2EC927F32A3C4F71F534C943D958193B40BC956D9E5CB5A27D9B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:10.427{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736D97120EFCAD6C375784BC8ED1E4F7,SHA256=3D332EB9FB979BD46D567FE97B227CBDF164F72E0D3FEBBD3A5B793E3A983024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:11.530{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B27F03966B430007E9962C0820CF80,SHA256=D7C7A6332A4E700047E60DBEE51C22186096D0DCCE6BC336315A42E18B00A299,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000302980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.817{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000302979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.817{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000302978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.817{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000302977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.640{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000302976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.639{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000302975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.639{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000302974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.638{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000302973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.636{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000302972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.636{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000302971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.635{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000302970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.626{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000302969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.626{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000302968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000302967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000302966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000302965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000302964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000302963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000302962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000302961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000302960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000302959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000302958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000302957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000302956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000302955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000302954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000302953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000302952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000302951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000302950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000302949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000302948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000302947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000302946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000302945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000302944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000302943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000302942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000302941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000302939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000302938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000302937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000302935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000302934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000302931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000302930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.611{D25361F1-F8C7-6305-8505-000000007502}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:11.480{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFC0F9A0E0CFF262B6A76F12FD5774A,SHA256=3D38193B820E535A837902390107182A4DB6B11BD2D677FE6C68DC3C8E33693A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.131{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61503-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000302927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.131{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61503-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000302983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:12.867{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-168MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:12.748{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\aborted-session-pingMD5=1FE92B12279CC6446ADD26B985E8ECE2,SHA256=66C6144CE54BAE777EAC50736CB6CD47DCF0466ED0AB04C633D2AD3D902393B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:12.643{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB0506719A039185A9F216A5D514073,SHA256=C962467F4412FB806467B6122125174AA0A827851A848E7DAA66AC0BB91B4E95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:10.582{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55326-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000302981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:09.581{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61504-false10.0.1.12-8000- 23542300x8000000000000000302993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.882{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.811{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887BB011918B0A998511D258C1411494,SHA256=A4E9DE7EA344E4C33B97EABB709F4B22F0EEAE90D5DF155E58D5C22537E523E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:13.858{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:13.858{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:13.858{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:13.843{F6DB49F2-D1AD-6305-C400-000000007602}32722344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:13.843{F6DB49F2-D1AD-6305-C400-000000007602}32722344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:13.843{F6DB49F2-D1AD-6305-C400-000000007602}32722344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000314676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:13.843{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000016043E\VirtualDesktopBinary Data 10341000x8000000000000000314675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:13.843{F6DB49F2-D1AD-6305-C400-000000007602}32722344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000314674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:13.658{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA947B555C8C832FBE89BBA1F110A578,SHA256=307EFAF2897C685015BDD9394D6678D0BB86B4B0C209C9EB4679AB6A6B27AB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.298{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\pending_pings\cd36c747-133a-4a96-af86-16430e84b0a2MD5=A0A896675F74ABFCC8FFB105AE35A3BC,SHA256=032CEC392EB249993905D186A89D550E15561969AEB4703CBA0C831487CE51D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.027{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=C514EF0335360B63E3E9A1197259557F,SHA256=C8FB39E288236C3B4245E83B7EB3E975CE942646C0ED1609F9B5A671ECDEF898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.027{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=945D6CE2D102E79E0DCDCEBD7687AA7C,SHA256=7927F169C1838FC3A52852B7C7BA4FD7E7BCBA5FCDAEFEB5FB1F43E8BEEC8AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.027{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=71DE60E788CCC5626E2B400D488D62E9,SHA256=41F65F26E2BFF3F4EB26CB8C1CD72BC683F6AA4A7A6695EDB7DE1D397B36C034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.027{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=BD95963E1A2EEEF75BFA545398802A0B,SHA256=9CBCDED16CB9E253CC313E5D21CA6475A64EC2D8D41885B0A53DD13D20F23F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.011{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=2282E702353A5F8283CBDA80531E3F85,SHA256=4B58AC35DB56D2FA042D61C5A623171BA9D8207B4EAF2165A507EDC423F3303C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.011{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2634403C54C605957237BF6D0FF6D788,SHA256=3FAC36A16876DB1531782D19B8A8066432E7523494523FAC684BF0AF5AE0429D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:13.011{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2448726034C32DD10B970435D3267A97,SHA256=CAA79C4DA63DC2E2482525F9696F9E852241D0187C6F1C60B1FBF8B04403FC9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:14.910{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BD5C1958E2054D8729D01CFB47B8A9,SHA256=606F6A9856895F21CE18185BBA34228D0A55536EE07C264A324C29C27FAED0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:14.778{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9511CF8D96793DCAC9129410ECF82DA7,SHA256=F671A6EF01031CB936D7C158A61A20DF526203A9941B660043B6CA52D3129283,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:12.508{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62678- 354300x8000000000000000314684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:12.908{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55328-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000314683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:12.876{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55327-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000314697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.992{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.981{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.973{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.970{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000314693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.926{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0E95ACAC0FF37AF33EEB945EE761F7,SHA256=025E926729D553B059C00BF7C97B15D638F8B8E17763479B184FAF1A4D6ABF6E,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000314692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.895{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe 354300x8000000000000000302999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:12.615{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local65535- 354300x8000000000000000302998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:12.614{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-ctus-attack-range-854.attackrange.local62678-false127.0.0.1win-dc-ctus-attack-range-854.attackrange.local53domain 354300x8000000000000000302997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:12.530{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-854.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-854.attackrange.local62678- 354300x8000000000000000302996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:12.530{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:1e0:8196:ffff-62678-true7f00:1:0:0:f61d:e9d0:2102:0-53domain 13241300x8000000000000000314691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:15.773{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000016043E\VirtualDesktopBinary Data 10341000x8000000000000000314690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.726{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.726{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.726{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000314687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:15.710{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000314686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:15.710{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Nqzvavfgengbe\Qbjaybnqf\JverfunexCbegnoyr64\Ncc\Jverfunex\Jverfunex.rkrBinary Data 354300x8000000000000000303001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:12.628{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61505-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x8000000000000000303000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:16.043{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C7EDBE8F92382A4D6344D846C67CAA,SHA256=8A17F2D3D280089D7EBB477FA1BAE9D4B61DBC577CC6C2C489C6501CEC6F7D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.491{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9172B7E7D1C22A9DAEB2F64CDEB4103F,SHA256=97DF4DA30168F774156A92EF1B4BFD09B767369FFCA947CE321764C3D28DDC31,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000314791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.313{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\cscui.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Client Side Caching UIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscui.dllMD5=1CA3E6207A230620599F7370D6C8F173,SHA256=758385B0BA148ABCB97A659CC8060DB6DC621A6CAA51B5F717C1233C8B450F51,IMPHASH=7C4C5D26A164B555C68D5F02A417A150trueMicrosoft WindowsValid 10341000x8000000000000000314790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.314{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.310{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.308{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.306{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.306{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 10341000x8000000000000000314785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.303{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.300{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.295{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.291{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.289{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.286{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.284{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.262{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\EhStorShell.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage Shell Extension DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorShell.dllMD5=4327110011C5B4D72EA451FA23D78CED,SHA256=A3FC4F52D93C74DF05A422F279781747674FEACFCD0ED9DE05FFFC8AEA49E23B,IMPHASH=111C0B6B81920F4C028C3EB61B1873D7trueMicrosoft WindowsValid 10341000x8000000000000000314777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.272{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 13241300x8000000000000000314776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.268{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000314775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.268{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 734700x8000000000000000314774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.196{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\Windows.Storage.Search.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Storage.SearchMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.Search.dllMD5=17D1040EDBA639BD1C2F7577D1070498,SHA256=E3F2CF21782C856A639525E84FF3C413C7CD091297C9A248CBC24541E2D76584,IMPHASH=DE60A0BFF7F6069AA615B149D44D1D3FtrueMicrosoft WindowsValid 13241300x8000000000000000314773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.261{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x8000000000000000314772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.255{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.253{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.251{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.250{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.249{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.248{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.237{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 13241300x8000000000000000314765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.232{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x8000000000000000314764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.228{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.181{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\StructuredQuery.dll7.0.14393.5127 (rs1_release_inmarket.220514-1756)Structured QueryWindows® SearchMicrosoft CorporationStructuredQuery.dllMD5=004D25E64FBEDBEB9B514BF94DA17499,SHA256=3BC118B4B6E0DE7E2902ED1F66EC1A708586F35B3F7C324BF5D4CAFCE11A6818,IMPHASH=870079407DAAD548AC5B3F417EEBB243trueMicrosoft WindowsValid 10341000x8000000000000000314762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.213{F6DB49F2-ECEB-6305-4A04-000000007602}18925080C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da836|C:\Windows\System32\windows.storage.dll+dac66|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802862D9CD8)|UNKNOWN(FFFFBE9304277E08)|UNKNOWN(FFFFBE9304272AB5)|UNKNOWN(FFFFBE9304273FDA)|UNKNOWN(FFFFBE9304272296)|UNKNOWN(FFFFF80285FEF503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+44ca5|C:\Windows\System32\SHELL32.dll+44b68|C:\Windows\System32\SHELL32.dll+7c668 10341000x8000000000000000314761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.197{F6DB49F2-ECEB-6305-4A04-000000007602}18925080C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+da94d|C:\Windows\System32\windows.storage.dll+daa6b|C:\Windows\System32\windows.storage.dll+daef8|C:\Windows\System32\windows.storage.dll+db2ab|C:\Windows\System32\windows.storage.dll+d1ba1|C:\Windows\System32\windows.storage.dll+d3516|C:\Windows\System32\windows.storage.dll+d3958|C:\Windows\System32\windows.storage.dll+d3a5c|C:\Windows\System32\SHELL32.dll+85085|C:\Windows\System32\SHELL32.dll+853b8|C:\Windows\System32\SHELL32.dll+7c5fc|C:\Windows\System32\SHELL32.dll+7c145|C:\Windows\System32\SHELL32.dll+7cc5d|C:\Windows\System32\SHELL32.dll+8027f|C:\Windows\System32\SHELL32.dll+1357fe|C:\Windows\System32\SHELL32.dll+135416|C:\Windows\System32\SHELL32.dll+134e93|C:\Windows\System32\SHELL32.dll+134aab|C:\Windows\System32\SHELL32.dll+134c17|C:\Windows\System32\SHELL32.dll+134b9a 10341000x8000000000000000314760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.196{F6DB49F2-ECEB-6305-4A04-000000007602}18925080C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+da8c9|C:\Windows\System32\windows.storage.dll+daa6b|C:\Windows\System32\windows.storage.dll+daef8|C:\Windows\System32\windows.storage.dll+db2ab|C:\Windows\System32\windows.storage.dll+d1ba1|C:\Windows\System32\windows.storage.dll+d3516|C:\Windows\System32\windows.storage.dll+d3958|C:\Windows\System32\windows.storage.dll+d3a5c|C:\Windows\System32\SHELL32.dll+85085|C:\Windows\System32\SHELL32.dll+853b8|C:\Windows\System32\SHELL32.dll+7c5fc|C:\Windows\System32\SHELL32.dll+7c145|C:\Windows\System32\SHELL32.dll+7cc5d|C:\Windows\System32\SHELL32.dll+8027f|C:\Windows\System32\SHELL32.dll+1357fe|C:\Windows\System32\SHELL32.dll+135416|C:\Windows\System32\SHELL32.dll+134e93|C:\Windows\System32\SHELL32.dll+134aab|C:\Windows\System32\SHELL32.dll+134c17|C:\Windows\System32\SHELL32.dll+134b9a 10341000x8000000000000000314759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.184{F6DB49F2-ECEB-6305-4A04-000000007602}18925080C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da8ad|C:\Windows\System32\windows.storage.dll+daa6b|C:\Windows\System32\windows.storage.dll+daef8|C:\Windows\System32\windows.storage.dll+db2ab|C:\Windows\System32\windows.storage.dll+d1ba1|C:\Windows\System32\windows.storage.dll+d3516|C:\Windows\System32\windows.storage.dll+d3958|C:\Windows\System32\windows.storage.dll+d3a5c|C:\Windows\System32\SHELL32.dll+85085|C:\Windows\System32\SHELL32.dll+853b8|C:\Windows\System32\SHELL32.dll+7c5fc|C:\Windows\System32\SHELL32.dll+7c145|C:\Windows\System32\SHELL32.dll+7cc5d|C:\Windows\System32\SHELL32.dll+8027f|C:\Windows\System32\SHELL32.dll+1357fe|C:\Windows\System32\SHELL32.dll+135416 10341000x8000000000000000314758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.184{F6DB49F2-ECEB-6305-4A04-000000007602}18925080C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da8ad|C:\Windows\System32\windows.storage.dll+daa6b|C:\Windows\System32\windows.storage.dll+daef8|C:\Windows\System32\windows.storage.dll+db2ab|C:\Windows\System32\windows.storage.dll+d1ba1|C:\Windows\System32\windows.storage.dll+d3516|C:\Windows\System32\windows.storage.dll+d3958|C:\Windows\System32\windows.storage.dll+d3a5c|C:\Windows\System32\SHELL32.dll+85085|C:\Windows\System32\SHELL32.dll+853b8|C:\Windows\System32\SHELL32.dll+7c5fc|C:\Windows\System32\SHELL32.dll+7c145|C:\Windows\System32\SHELL32.dll+7cc5d|C:\Windows\System32\SHELL32.dll+8027f|C:\Windows\System32\SHELL32.dll+1357fe|C:\Windows\System32\SHELL32.dll+135416|C:\Windows\System32\SHELL32.dll+134e93 10341000x8000000000000000314757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.184{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.140{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14,IMPHASH=50E2F760F0B39DC72CAD6892FEDF2F27trueMicrosoft WindowsValid 734700x8000000000000000314755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.138{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000314754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.169{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.158{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 13241300x8000000000000000314752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.157{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000314751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.157{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 734700x8000000000000000314750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.138{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\ntshrui.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=625A0F3F48DE1F73FEBBC651E5812680,SHA256=FC44D9A2C46C7AEAEDE050ECC2C6F7AF43D34CF97138C40B9D4C3377D032FC21,IMPHASH=AC4154F2DB854AC5F42815BCE5C34155trueMicrosoft WindowsValid 10341000x8000000000000000314749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.153{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.151{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 13241300x8000000000000000314747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.149{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000314746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.149{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000314745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.149{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000314744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.148{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 10341000x8000000000000000314743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.148{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 13241300x8000000000000000314742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.148{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000314741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.146{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000314740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.146{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 10341000x8000000000000000314739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.146{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 13241300x8000000000000000314738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.146{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000314737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.146{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 10341000x8000000000000000314736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.142{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.139{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.138{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.137{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.135{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.112{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\networkexplorer.dll10.0.14393.0 (rs1_release.160715-1616)Network ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkExplorer.DLLMD5=889484BE2979D3C693D194BF4E5F2C82,SHA256=BC046600D8B8DA1652AD584DFAC4D799D4E772BFAF833C50B8F2F91D7D65D6B6,IMPHASH=82DF5355ECE040AB2EB1CF3A3223A564trueMicrosoft WindowsValid 10341000x8000000000000000314729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.131{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.127{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.121{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 13241300x8000000000000000314726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.121{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000314725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.121{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000314724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:16.120{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x8000000000000000314723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.118{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.113{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.104{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.101{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.091{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=5F9B6C9B05956273CC91C5E70B2456EE,SHA256=F51014AC7DD24D56F5C22D8EB33DC1385C0A0A038C510B974BDE6068B5F335F9,IMPHASH=9684B8A64BE29AF37E327ADEEC9F0C23trueMicrosoft WindowsValid 10341000x8000000000000000314718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.086{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000314717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.078{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\datareporting\aborted-session-pingMD5=4E1075EAF82D03823079FA9779090D7D,SHA256=9DD1E5C3855EFE99514E67EC40F054C35288B59E9BC964BB6EF79A4644C6D773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000314716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.076{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.069{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.060{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.050{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.044{F6DB49F2-ECEB-6305-4A04-000000007602}18925080C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+5111a|C:\Windows\System32\SHELL32.dll+dbaa4|C:\Windows\System32\SHELL32.dll+da84b|C:\Windows\System32\SHELL32.dll+da32d|C:\Windows\System32\SHELL32.dll+58469|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\System32\COMDLG32.dll+67390|C:\Windows\System32\COMDLG32.dll+65e94|C:\Windows\System32\COMDLG32.dll+5f3d6|C:\Windows\System32\COMDLG32.dll+43677|C:\Windows\System32\COMDLG32.dll+43f2f|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+f924|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+31dbb|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+ebebd|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+ec130|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+fa71d|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+db7bc 10341000x8000000000000000314711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.044{F6DB49F2-ECEB-6305-4A04-000000007602}18925080C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+51108|C:\Windows\System32\SHELL32.dll+dbaa4|C:\Windows\System32\SHELL32.dll+da84b|C:\Windows\System32\SHELL32.dll+da32d|C:\Windows\System32\SHELL32.dll+58469|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\System32\COMDLG32.dll+67390|C:\Windows\System32\COMDLG32.dll+65e94|C:\Windows\System32\COMDLG32.dll+5f3d6|C:\Windows\System32\COMDLG32.dll+43677|C:\Windows\System32\COMDLG32.dll+43f2f|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+f924|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+31dbb|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+ebebd|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+ec130|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+fa71d 10341000x8000000000000000314710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.044{F6DB49F2-ECEB-6305-4A04-000000007602}18925080C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+51108|C:\Windows\System32\SHELL32.dll+dbaa4|C:\Windows\System32\SHELL32.dll+da84b|C:\Windows\System32\SHELL32.dll+da32d|C:\Windows\System32\SHELL32.dll+58469|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\System32\COMDLG32.dll+67390|C:\Windows\System32\COMDLG32.dll+65e94|C:\Windows\System32\COMDLG32.dll+5f3d6|C:\Windows\System32\COMDLG32.dll+43677|C:\Windows\System32\COMDLG32.dll+43f2f|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+f924|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+31dbb|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+ebebd|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+ec130|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+fa71d|C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe+db7bc 10341000x8000000000000000314709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.039{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.014{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\DevDispItemProvider.dll10.0.14393.0 (rs1_release.160715-1616)DeviceItem inproc devquery subsystemMicrosoft® Windows® Operating SystemMicrosoft CorporationDevDispItemProvider.dllMD5=CCDEFAE1F31F9F9AED64686A143D3D0A,SHA256=CF96EB0C3422628398D218152A729221C0F5D09F287E083AE88ECD77DB2C11BC,IMPHASH=B96B407351B4F23871E4087C6E937148trueMicrosoft WindowsValid 734700x8000000000000000314707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.037{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000314706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.035{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5127_none_aec7dd25ddd79049\GdiPlus.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=7278B609C8DAD47E0E93DBB4D49361D1,SHA256=B9FB1418BE46EACB34582BC8F4E867CE4AD7D3C580987AFE0A8EC55ED30A5247,IMPHASH=BC747D18CC28DFF374DB67CDCF580B6BtrueMicrosoft WindowsValid 734700x8000000000000000314705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.010{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=F16F9896C90C06D66C3538AD9DA011F7,SHA256=EF2A5483794B7E4D836393CF2F4C3A065719855C16933D25C219E620BB692A8A,IMPHASH=C336F93278ACA9710F465E21059D5842trueMicrosoft WindowsValid 734700x8000000000000000314704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.021{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 10341000x8000000000000000314703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.016{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.005{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\dlnashext.dll10.0.14393.4169 (rs1_release.210107-1130)DLNA Namespace DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdlnashext.dllMD5=DB3FEFF8118F622BEF9D5019F07AC2CA,SHA256=83A075102103FAB6DDF5890B01CFD5E74BAB722F24EDA78ED7DCDD55325B7678,IMPHASH=2C687E2BD4D0FE6C08716DC497583D88trueMicrosoft WindowsValid 10341000x8000000000000000314701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.013{F6DB49F2-D01D-6305-1600-000000007602}12001516C:\Windows\System32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.011{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000314699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.002{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 734700x8000000000000000314698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:16.001{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 23542300x8000000000000000303002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:17.142{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4263A5F729AD5904A52C0F3B4DEC5517,SHA256=D483F43BF81E0A470F2BD1AF7B99E7D5353779C61C5F06F7E2013E2A90725C9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:15.075{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55329-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000314793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:17.042{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC10E489130CFB38B1DA76D3CE985D8,SHA256=0F213B0C00ABEBEAEE153B8D38744FFAD29C341A6EED1CAB0398F86F4CF75AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:18.280{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C54CF3F3F675DB5BDE9436A7FB64AF,SHA256=5D90BF4381FA834466B962A89521346374DDDA44FB7119859CB3AC5ED3D36F4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:15.529{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61506-false10.0.1.12-8000- 13241300x8000000000000000314825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.257{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000006045E\VirtualDesktopBinary Data 12241200x8000000000000000314824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:18.195{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000016043E 13241300x8000000000000000314823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.195{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\QtProject\OrganizationDefaults\FileDialog\qtVersion5.15.2 13241300x8000000000000000314822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.195{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\QtProject\OrganizationDefaults\FileDialog\viewModeDetail 13241300x8000000000000000314821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.195{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\QtProject\OrganizationDefaults\FileDialog\lastVisitedfile:///C:/Temp/brute-iso 13241300x8000000000000000314820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.195{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\QtProject\OrganizationDefaults\FileDialog\historyBinary Data 13241300x8000000000000000314819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x00000001) 13241300x8000000000000000314818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000314817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000314816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000314815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000314814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000314813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000314812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000314811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000314810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200041) 13241300x8000000000000000314809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000314808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000314807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000314806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000314805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU\MRUListExBinary Data 13241300x8000000000000000314804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU\0Binary Data 12241200x8000000000000000314803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU\0 13241300x8000000000000000314802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU\0Binary Data 12241200x8000000000000000314801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteValue2022-08-24 10:09:18.179{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU\0 13241300x8000000000000000314800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000314799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:18.179{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Nqzvavfgengbe\Qbjaybnqf\JverfunexCbegnoyr64\Ncc\Jverfunex\Jverfunex.rkrBinary Data 10341000x8000000000000000314798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:18.179{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:18.179{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:18.179{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000314795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:18.142{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5227E004FA275392E75AF2D15BF91A4B,SHA256=F0DAD0C87155261701F46C9238CA9E0366CA17D6D472D0865D1CA1FE96D5DA37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:18.061{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=945D6CE2D102E79E0DCDCEBD7687AA7C,SHA256=7927F169C1838FC3A52852B7C7BA4FD7E7BCBA5FCDAEFEB5FB1F43E8BEEC8AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:19.295{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B00C2BF17716FBE6EC239D2174B26C,SHA256=D8064C06C2B1CB5F0072462504D42F2FEC30200CAECA373DDF0E2B772E65ACAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000314827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:17.345{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55330-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000314826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:19.242{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C5560629F41988EB297A289DFF1359,SHA256=EF183C11B884A9E4525ADEAFD85D7517A6D23D017F9DDD224EBEA6BFA4A1AF7A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000314839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:20.877{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000314838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:20.877{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Nqzvavfgengbe\Qbjaybnqf\JverfunexCbegnoyr64\Ncc\Jverfunex\Jverfunex.rkrBinary Data 10341000x8000000000000000314837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:20.874{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:20.874{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:20.874{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000314834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:20.856{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000017043E\VirtualDesktopBinary Data 10341000x8000000000000000314833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:20.856{F6DB49F2-D1AD-6305-C400-000000007602}32722344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:20.856{F6DB49F2-D1AD-6305-C400-000000007602}32722344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:20.856{F6DB49F2-D1AD-6305-C400-000000007602}32722344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:20.856{F6DB49F2-D1AD-6305-C400-000000007602}32722344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000314829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:18.908{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55331-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000314828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:20.375{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0519312A193B2D5CEE1DE20E2A2603F8,SHA256=489D48089F29D53999676A3B1FF4EB5DDD8995DB0329AF4D2FA5087AFE77210F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:20.609{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:20.424{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB8771DAEB104D80C3A735BF2571D96,SHA256=1909559FFA2F4859D1E121F3860320BF8D056D231DA480F475E54B1977DC8820,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000314848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:21.943{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000017043E\VirtualDesktopBinary Data 12241200x8000000000000000314847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:21.880{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000017043E 10341000x8000000000000000314846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:21.880{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:21.880{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:21.880{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000314843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:21.880{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000314842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:21.880{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Nqzvavfgengbe\Qbjaybnqf\JverfunexCbegnoyr64\Ncc\Jverfunex\Jverfunex.rkrBinary Data 354300x8000000000000000314841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:19.543{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55332-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000314840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:21.495{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE024674FF550E65EC7845A644DE9303,SHA256=AF038FF08AD25E332B6CCDBF81D313A597206D8045F9D382B584BBD6C42516BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:21.642{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE49C06B87C0D790B31AA99F664E2C4,SHA256=3F238CFC4AE30F1DBA166F5FFC2BBF21DE5DC41BD2F0042474FFCC395DA024F1,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000314862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:22.861{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe 13241300x8000000000000000314861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:22.843{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A008C\VirtualDesktopBinary Data 13241300x8000000000000000314860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:22.788{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 11241100x8000000000000000314859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538Downloads2022-08-24 10:09:22.788{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Users\Administrator\Downloads\WiresharkPortable64\Data\recent_common2022-08-23 12:57:30.159 23542300x8000000000000000314858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:22.788{F6DB49F2-ECEB-6305-4A04-000000007602}1892WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Users\Administrator\Downloads\WiresharkPortable64\Data\recent_commonMD5=581677CE63E8D061E795538921C249C2,SHA256=642A0C07049DED85912B4EEA09B02AEBFCEFFA01379F230B56887739BECB15D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000314857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538Downloads2022-08-24 10:09:22.787{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Users\Administrator\Downloads\WiresharkPortable64\Data\recent2022-08-23 12:57:30.159 23542300x8000000000000000314856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:22.787{F6DB49F2-ECEB-6305-4A04-000000007602}1892WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Users\Administrator\Downloads\WiresharkPortable64\Data\recentMD5=A9EE63436DD720174F16EEE3293D2369,SHA256=11057766DBD1A7502B2CCC590F7794111C05BB577F42AE8ED7FEF7FF504D6F0C,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000314855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:22.786{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A008C 23542300x8000000000000000314854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:22.783{F6DB49F2-D1AD-6305-C400-000000007602}3272WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000314853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:22.781{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PUUActiveBinary Data 13241300x8000000000000000314852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:22.780{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000314851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:22.780{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Nqzvavfgengbe\Qbjaybnqf\JverfunexCbegnoyr64\Ncc\Jverfunex\Jverfunex.rkrBinary Data 23542300x8000000000000000314850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:22.735{F6DB49F2-ECEB-6305-4A04-000000007602}1892WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exeC:\Users\Administrator\Downloads\WiresharkPortable64\Data\Temp\wireshark_Ethernet 2TGMLR1.pcapngMD5=599720F30CD1B572957518CA0B5DFAB2,SHA256=1A3B7FABEC11AAD6BAF6434A1E13A34360D3890DB66EE1EFC1C70718297CD4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:22.599{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A21B94C251544E7C761947B476D7CAA,SHA256=3E81229F7297532FD3326C46019A4116CBEC965CB5B55759682AF6C94B4595C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:22.745{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F5784EFA9D05E7555BEBAB17C2FF15,SHA256=650D369DBC3A3F777FED3277B89ED1C5A55F7A0B638B44DEE505D924F550FB5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:20.060{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61507-false10.0.1.12-8089- 23542300x8000000000000000303013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:23.875{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FA1EAA71D1675E8E14339752E87ABE,SHA256=BE1EBDCAB91E94AF58FB0A6C0D802820BF9A871E3D1C109354E4852E9E8018AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:23.712{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32005459FADF6C76C2A015EB911D1070,SHA256=E391416819398BBBA570AD30BB3EDCA6FF9945813FAB219B9878F5D726228888,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:20.728{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61508-false10.0.1.12-8000- 23542300x8000000000000000315025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.960{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5.QtPrintSupport.pydMD5=1181FE920CE84E12D501A81F38B00588,SHA256=687CE203EEB9C1561AEE8E5576EA2C15746BB785B5CEFA47D2224DABEC7B7226,IMPHASH=25A5000CBBF1CEF9C0AFC53067F0DC5Ctruetrue 23542300x8000000000000000315024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.960{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5.QtGui.pydMD5=2DD37F2186D52AA542E327408AFF8C0A,SHA256=F1ACD9EF2B6D97720409E3E7219D23B5D3CFE1ECA1F5B499BDB14DC07F8B6507,IMPHASH=E963792F8792B7587FFEAD1A8C5A9C9Btruetrue 23542300x8000000000000000315023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.930{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5.QtCore.pydMD5=7F86EC025625916D987E1DF7EC50034E,SHA256=B9F66D6E74483B9FBA4043E7B497CBD7A82B8BDB122A532E1F7F53296B4F5317,IMPHASH=D526CCF113B7123577E710AE3DC93E41truetrue 23542300x8000000000000000315022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.908{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5.Qt.pydMD5=27DFC663E5ADA3BB970E7141EECC666E,SHA256=8308A059E871AF189932FEE8106CC0DD08C77AC555E1EF629311626F1EEBBDFF,IMPHASH=C2A3DB0ACFCC0D808E6C2F1AC6BC752Dtruetrue 23542300x8000000000000000315021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.907{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\__pycache__\qtwebkit.cpython-36.pycMD5=42761AF614C5DDF7FDCC6E3C81FC6C8F,SHA256=25E74360AE85726A7E6B05BC577B4E75EF3DF16F09A6F1C6ACAA0C69FC04D631,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 23542300x8000000000000000315019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\__pycache__\qtwebenginewidgets.cpython-36.pycMD5=0C4555E2EFD6A43C13776C7939095E95,SHA256=14A9B979AE72134E039D911E17CD5148AAD5E6C0042B1705D58E873E2F949C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\__pycache__\qtquickwidgets.cpython-36.pycMD5=FCF01AA9C1C6608AFD8AD15F8AD1E50C,SHA256=C0D0AB6E9B4C1BFA53759646848FAFE3CA44E5846B0F7992F032EA33F1EA7E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\__pycache__\qtprintsupport.cpython-36.pycMD5=DA5BDBC04CC5C8DCE6961242D09D0601,SHA256=0A203FAA2B519ED1C8B9C18079FF2769C7AD588C2849B99E2B017999869B44EC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DD,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x8000000000000000315015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\__pycache__\qtcharts.cpython-36.pycMD5=B67426E5F220C21A08CD61387BE30550,SHA256=86E8F74D4972578B986FB3C0019B8CDA14826BB210D772E67B09AA0FB4FD5850,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000315014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\UsnQWORD (0x00000000-0x0190ef28) 13241300x8000000000000000315013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\LanguageDWORD (0x00000000) 13241300x8000000000000000315012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\SizeQWORD (0x00000000-0x00065227) 13241300x8000000000000000315011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\AppxPackageRelativeId(Empty) 13241300x8000000000000000315010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\AppxPackageFullName(Empty) 13241300x8000000000000000315009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\BinProductVersion2.2.2.0 13241300x8000000000000000315008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\LinkDate02/24/2012 19:19:59 13241300x8000000000000000315007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\ProductVersion2.2.2.0 13241300x8000000000000000315006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\ProductNamewireshark portable (64-bit) 13241300x8000000000000000315005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\BinaryTypepe32_i386 13241300x8000000000000000315004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\BinFileVersion2.2.2.0 23542300x8000000000000000315003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\__pycache__\qscintilla.cpython-36.pycMD5=92AB86667D2810FD051A025461718BC5,SHA256=5B6BD111612802E2DDA18687FCFCF8B2418E589D4AE34F03F0071F671A6ECFDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.690{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.682{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.680{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.678{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.671{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.642{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.633{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.624{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.619{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.613{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.604{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.597{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.588{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.575{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.565{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.555{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.490{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.490{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000303014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:24.175{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=45758A0EA42F2EC5106E8B5AD3907D5E,SHA256=2154E8E61EAE7516A61B6C6A978C16640FD012682B5E9640E67A55657F8539C6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000315002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\Version2.2.2.0 13241300x8000000000000000315001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\Publisherportableapps.com 13241300x8000000000000000315000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\OriginalFileNamewiresharkportable64.exe 13241300x8000000000000000314999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\NameWiresharkPortable64.exe 13241300x8000000000000000314998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\LongPathHashwiresharkportabl|5ca052c93ae5067b 13241300x8000000000000000314997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\LowerCaseLongPathc:\users\administrator\downloads\wiresharkportable64\wiresharkportable64.exe 13241300x8000000000000000314996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\FileId000015f8da24e90ce9d99b1e7c2761388b3f59daf4a4 13241300x8000000000000000314995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\wiresharkportabl|5ca052c93ae5067b\ProgramId0006a7f8374ee53e48b67eb6c0b032435f5700000000 23542300x8000000000000000314994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\__pycache__\qaxcontainer.cpython-36.pycMD5=0734DA0E76F07F7AB9E29C802FEA9A9A,SHA256=E536342BC9A9791FAD2D4769AA8CE1A06DF5215027DFE3367D99B554CEBDD18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\qtwebkit.pyMD5=FB9EE78DEA29D6A2B6ED5D543B0AD65A,SHA256=9E7072ACF8677B0EEFF267D2E74D885D4E5F1375E0858A2E333067D06B465D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\qtwebenginewidgets.pyMD5=9B54EA7D63B03666EE8652AFA8A8BD77,SHA256=4D61A845E69A2FD0F572A212DD1D8F10B21DD09DBCAC9ADE9A4B565368EA344B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000314991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.875{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=ED29C426ADF167F9AEBBF2A7F4F4C55F,SHA256=A5E521F4409FCBDF2B82C97BF6FFBEFFD145F9FEBFE8182A8CE4B53ED69AD9BC,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 12241200x8000000000000000314990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\PermissionsCheckTestKey 23542300x8000000000000000314989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.891{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\qtquickwidgets.pyMD5=A94551488758D0279D52C9BFE5655398,SHA256=6F4F60D13B0467D2ED068394F56B06C9070EFADF44413E472DBDE130F2D64822,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000314988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.891{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x8000000000000000314987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:24.875{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x8000000000000000314986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.875{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe\REGISTRY\A\{701e24f3-b7f3-f373-45b4-be96c60d4be7}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 23542300x8000000000000000314985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.875{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\qtprintsupport.pyMD5=E6E0705C4288C31A6AC0E17EA1DACBAB,SHA256=27BC2C38E65A709067B51BA46929398D2D9F338DD0928C3387FEFBB4625460D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.875{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\qtcharts.pyMD5=1EFFFF894BFC28EC216958DBA4B3A829,SHA256=57C4442A029701987CD741526FE54D16F18798C29D808D5AA1E1E9C977D13380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.875{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\qscintilla.pyMD5=00CA089AB9CC1AED3A7D5B773A163CE1,SHA256=8BB73CBEBD887C8FC38620DF0E21E0790F2FF56E2BEF2861FA70AD86DBB07BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.875{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\uic\widget-plugins\qaxcontainer.pyMD5=D681D043EFEFFAE1B5BE0F06A8AE24E5,SHA256=CE8831483FB3601C1166003711B465A5FF6CA5A67F8F646661928B6414AFA18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.875{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\printsupport\windowsprintersupport.dllMD5=4896AAECEE7C1C1590540DFFBA031879,SHA256=288939E6FB9D669046E6E021CE515459D94CD550EC07EDED37E816E48357791A,IMPHASH=5923A63600785CAA352275FCA80677BAtruetrue 734700x8000000000000000314980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.875{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.5291 (rs1_release.220806-1444)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=52FD1288FED0BD435BBA02023D8A5394,SHA256=C277A8E6B6E25656085647270AF0D6673DD3C6B29C99260825CD5909FCB82549,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 23542300x8000000000000000314979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.875{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\platforms\qwindows.dllMD5=2F6DD640C97A20E7E65A5648A6BC42A0,SHA256=8589EEFB76B04B48F212CB92FB2E69CA64DDB71F33456E4B6CE97214F9889465,IMPHASH=D73E430EBF8A560DBDE1D0F6394B84ACtruetrue 13241300x8000000000000000314978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.875{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\WiresharkPortable64\WiresharkPortable64.exeBinary Data 23542300x8000000000000000314977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.860{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\platforms\qoffscreen.dllMD5=C5EEE02F693204C26B25792F39B9AA8E,SHA256=0BC8EB17CEC6687BBC964FE09216F4322CDF5F1CB3453224339214C3AE545FD6,IMPHASH=30750AED8469A444DEDAB476F61A1AFEtruetrue 23542300x8000000000000000314976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.860{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\platforms\qminimal.dllMD5=82379440C23E9DC8FE041745DE9D001B,SHA256=29F10B883EC80C294F02EF1FF75A45640EEEF6D56B289EEAA97D5B40EFBD875B,IMPHASH=8273A2633C93A9D1FBB62350C22C09F7truetrue 23542300x8000000000000000314975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.844{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\imageformats\qwebp.dllMD5=3792E7231579A8F87993D784DC3315A1,SHA256=755AC3ECE16668B0B9CADC091B803D96841057775A2E384863184C98102664A6,IMPHASH=B7CF1F2F58187DC91ED94FBB90B5ECBFtruetrue 23542300x8000000000000000314974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.844{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\imageformats\qwbmp.dllMD5=72A71487365E0AC393B1683CD88E4CAA,SHA256=EC175E916EA2CEF0929DA892564479785681B078F8A58334D329093E5C848295,IMPHASH=221712B1F0BB0768D7E25CEB5405CDE4truetrue 23542300x8000000000000000314973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.844{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\imageformats\qtiff.dllMD5=F18D8960993E0E7332C3CFFE2BAAD37D,SHA256=F803FCEB6EF104AE85797780A70F740A2FEBA79EFE25DFAC3A60C74B194BFA57,IMPHASH=DEF93D5318F6F39D397597D5685A41ADtruetrue 23542300x8000000000000000314972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\imageformats\qtga.dllMD5=322B3B52BF049C3B2088302B78BBDD14,SHA256=9F0EAA7742E8339F37A2F214D8E38C5EBD967FCF675C59525B83568EF7ABCFD6,IMPHASH=953DA8D7915F3B8CF5CFAE17D3B90476truetrue 23542300x8000000000000000314971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\imageformats\qsvg.dllMD5=14404BEA7B1E5C056BF687145E27EE37,SHA256=A8E20E0B5A1B0E7E953BA9E8FCA23D17E34FE83678E031416B9ABCB37A4D3A79,IMPHASH=7903C8C0DD6AFC98362137F38959F308truetrue 23542300x8000000000000000314970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\imageformats\qjpeg.dllMD5=F3C9BA9B016A84FA0F8F7769B61FD68F,SHA256=4B681BD19BE568A4E45B00B6F55D597DFC7C8997F7BEA68FC21C0D148F125D19,IMPHASH=9CD23D7C3C2E81F1C5E1643BD8D20FA0truetrue 23542300x8000000000000000314969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\imageformats\qico.dllMD5=659B0881D64D02AD0BE717529AABAB12,SHA256=AD64A9CE17C13B7E010849E790EF7C69B9816FB88AED32FBEBCDC0DDFB09DF89,IMPHASH=962F6472DC91559832062A189D3355E9truetrue 23542300x8000000000000000314968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\imageformats\qicns.dllMD5=C5C71B44FC09A2BA73820F11912F7E21,SHA256=E185775B6A6AF69B2A4D546110E1480CD06A3B5F256F8B6C9BEF650DD811D282,IMPHASH=5C4D8DAAB20F3079BF73B8E981A0EFDFtruetrue 23542300x8000000000000000314967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\imageformats\qgif.dllMD5=51DA21626C4FCEF364C09D3AA517AB62,SHA256=E0C3FE4EDA565C021AC8E37783DF3E62218F6BD7D1DCDC5156BC9E9666ABA59D,IMPHASH=D43FE8D6588D341E81C05A994DC2FBE8truetrue 23542300x8000000000000000314966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\plugins\iconengines\qsvgicon.dllMD5=CE2693C256C3807DC7559927EBBA5BFD,SHA256=81CE10AF22A0F1CC43666C89905DDD566363B612EF6C4509FC12B09074D3BBDB,IMPHASH=13CD419B5D978649404397CA58ED3669truetrue 23542300x8000000000000000314965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5\Qt\bin\qt.confMD5=F35B895B49DAE7F14076895802A7EFE4,SHA256=75CFEF3009E9E451C2EEAB0EDD9477CA24C2ADBEEA1E46F6EC8F2D3328699262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FAF8844442B5E1B41BA11E63E3C0C8,SHA256=41995D1683F50BE7F4D81348DFBD0337DD5BE45965E78329BE3A23A355FFABE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.828{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\pyexpat.pydMD5=BFB3DFFC375370752B3D3F76E42B097A,SHA256=208A7595726CE82654E494F4CFCC9410EAFCE2C2065E531EA3A794C33854AB14,IMPHASH=5B6BAD38FDE6B045E16156E18FE17B36truetrue 23542300x8000000000000000314962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\rc4.yapsy-pluginMD5=169B8C7B6002631827AC8D542FB83976,SHA256=D82816B90489CA1179E735BAEF59571DDB435AAEEEFA0C8378F3581032F7590A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\rc4.uiMD5=B1D56BD612A36DD7AA2CBE05FF7F2FD4,SHA256=B94A683E7A335DA672F14539781902C7EA4A0DD8594B0FB75F8363F481500A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\enc_rc4.pyMD5=CE01F8DEF28C410FA2C18BEC0F3D248B,SHA256=8054A48B019BD2268A720BDCA93139FB3050103B4E2C6086195252FE09AF9B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\enc_aes.pyMD5=E16C6CDB5591685082526C25C75B265C,SHA256=C84386B0C8ADC2C20B88C9AA774B4B415F4671ECDC173F500E1B6285A4867451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\encoder_base64.yapsy-pluginMD5=FFF70062C786087F31FB1A528D46E524,SHA256=5FC776667E417B5A79444F4670195DDA0C23578AE0F0BC952DBF4DC2E4BDD72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\encoder_base64.uiMD5=B2718260371CC4A6DDE5F34AA382A668,SHA256=999D9AC308D51A8D44CE6213FB84E305EF7FC1D241D3A2AA4B7F6A6520EE0041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\encoder_base64.pyMD5=971FB018B7267050F4F1010A157F465E,SHA256=39A1EA7FB0CD5F7053E3F675155F76C8E85BBC021B5905740B456A33A397DB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\basic.yapsy-pluginMD5=F7EB3EE1FD93BE5DBC22DB4521A9A3A5,SHA256=E53C1BD17DDD96629E6BFE941660558FFE74232DDC4B791D45246CEA85916743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\basic.uiMD5=9782F870F81FB15A8BF8CD5E5273FF41,SHA256=90C202F80A896924421DD511DF07AF674843574E85689CA961ED9B3495158F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\basic.pyMD5=DE31CF3919AD5AD3295A8C3042F6DF1B,SHA256=7E75B9A61FEDF0B8E1B759A75FA70FF7134F6F217F8D6FB217F3EC6D02503AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\aes.yapsy-pluginMD5=27FEABD9C78E226C37E15F271721CAE8,SHA256=CB68CD33CABEA4E8F7E06F8251551B9626AD4CCB78C546D6B870FFEB1E1EC549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\unpack\aes.uiMD5=139AAB0D415235E8938EE54BD43A75AF,SHA256=EAEC89F909B187CFD15B49E88ECCE1D4616EA88789D4D75EACB033011DA73973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\pe.yapsy-pluginMD5=C46F97A47F22BE53A4E3DCCCCA013064,SHA256=DC58EA305B01A3928FC6AA0B554386FA8DCBFDC962738908D7B2766B573EF4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\pe.uiMD5=C934C53ED269F84B3645CCAA7019A7FB,SHA256=A4FF1B275D13F6636AD3A61AD3150197DED2256AC935348F52114E7B4D0103F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\pe.pyMD5=2655D6EC0ED58045DC1A78CB9EF488AD,SHA256=BDC20B7686349D439E99961B25EC3B06EBDCDD4012E7D56E326C39565CA35103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\ntfs.yapsy-pluginMD5=00CBB2BB077C2F3C33100BA00464486E,SHA256=EDB986182EFC6DADF0FB7400B708A3410ACDB8CEEC3BAB671F55AEC9D9FB5CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.813{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\ntfs.pyMD5=2FB2E003949DB1C76F3123EDB7993ABE,SHA256=58793588E371CB85E5F734071B97DA24625DDA7322431F553E22E7DDAC367C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.812{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\goto.uiMD5=89CFB33DC7FA16E976F669EA243A30C3,SHA256=8020395038D091E234EDE726935EDDE19A7D91162753BA655B08E8EA5CEE1A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.812{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\elf.yapsy-pluginMD5=1617DB86CCBFDD5F2DBC274801E85FAB,SHA256=009AA36629B005BCE86AF64CE0FB18F4DB0C797F0BE04688FDAA2E85070B2FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.811{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\elf.pyMD5=8FE41EA316CA6D7C2DCE169F8B129100,SHA256=65B6E66C06E7804CFC0C31D3EC01689AFD1E2A143EB599FD54FAE31F402200B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.810{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\bootsector.yapsy-pluginMD5=3E8922BD49F7F0652BB0513643DBB6C7,SHA256=A570E9C3F2933E1D36A00BCE3864645675104EE84DA0C4DD94779C4D543181BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.809{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\bootsector.uiMD5=98AD705E6FEA4ED59AAADF4C294C732A,SHA256=5E6A770CA57379812851821ACEBA4104F140E68F2D1BC3BE828316E47716DC05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.808{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\bootsector.pyMD5=663627CE4AAF3FB62934F137555596DB,SHA256=91F7E9D6BC4AE72A5103A0E7A5770A16B021436EC341972FEFE31E3E11C19891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.808{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\binary.yapsy-pluginMD5=5990F8D272DC0F7C69F43EF580D3C4D9,SHA256=79401395F8AF865FDAF58EEF52CDC4EED95EE51CAB675F8A7368B7DC72EDD80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.791{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\binary.pyMD5=3296CD390E1C0B9C48726F56CC87CBC1,SHA256=6066F21E33247831633FF563E61ED25CF9549975F7E94F1541C9F592B8F19C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.791{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\apk.yapsy-plugin.disabledMD5=280FFA79F612482D47B0C241EA4473E5,SHA256=0202251CBCDC30ADE78E12ED4C145441F857080C21F29C9A1061D9FDED94ABFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.791{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\apk.uiMD5=EAF9751806B37F1CFC1CEF5DF92DE113,SHA256=33FD498D15030E9B38428F3201E90969A4732FD88452CAEA83B2D6049414BA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.791{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\plugins\format\apk.pyMD5=F13D6D11D59DA45AB2A5CB8D4B53832F,SHA256=763B5016455A20638AC29BE0D02B85CA3D9B37B8734BB6EB05C4777B2B991822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.791{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\MSVCP140.dllMD5=B9ABE16B723DDD90FC612D0DDB0F7AB4,SHA256=75FC76655631A4AE72D015B8E85F899537C603661CA35A3F29099B8E4C84716C,IMPHASH=C3BAC5B277D6A19414754B3EA09DBE12truetrue 23542300x8000000000000000314933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.791{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\mfc140u.dllMD5=5E0548B18DAAA378E30FA562826E9070,SHA256=B576336FD2D0688C1DAD0B508FBDBC2081846E43B0CCC6BE4E3A71E498E1DC40,IMPHASH=45FCD240272D339ABF7E63B0578EA97Atruetrue 23542300x8000000000000000314932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.744{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\lib2to3\tests\data\READMEMD5=D3D39C73DE677A4415097DD577E1097A,SHA256=B7442A0D467C1BC14706408CDB44109DF70728AD4472E1FB0B60947A053752F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.744{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\lib2to3\PatternGrammar3.6.2.final.0.pickleMD5=986C4CA9C0D20C0D8EE01455D087DBD0,SHA256=EDB7F84F6A386161434BF3CDB64DB03B29B80717CEDD1C492789578454BC3D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.744{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\lib2to3\PatternGrammar3.6.2.candidate.2.pickleMD5=986C4CA9C0D20C0D8EE01455D087DBD0,SHA256=EDB7F84F6A386161434BF3CDB64DB03B29B80717CEDD1C492789578454BC3D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.728{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\lib2to3\PatternGrammar.txtMD5=979BF0985B9B796D53C07BE40F02B132,SHA256=9BAC1F5A4EF2DFE428DF9AFBECD59D250EFC5CBD42A93FCF9B4C6BE9E08E7693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.728{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\lib2to3\Grammar3.6.2.final.0.pickleMD5=A58798A9E7EA57AD816B1C4496606D79,SHA256=28FE24EB8DD20FE8230A81CCEA5DB8ABEA3B74FBABF067885F90485A5A7AAAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.728{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\lib2to3\Grammar3.6.2.candidate.2.pickleMD5=A58798A9E7EA57AD816B1C4496606D79,SHA256=28FE24EB8DD20FE8230A81CCEA5DB8ABEA3B74FBABF067885F90485A5A7AAAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.728{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\lib2to3\Grammar.txtMD5=BEBFECC2276558DB6E9B081FD1481282,SHA256=EEA372D809E7E359C7BC6395430B8C2EEE033AF263BC43AC63387591D5B63660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.728{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\Include\pyconfig.hMD5=A50873AD13EACF946D69494840E96957,SHA256=7AF6A6E336FB128163D60AB424A9B2E9E682462DD669F611B550785C1D3D14AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.728{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\dropper.uiMD5=7FFE27EE00B3513C60CE2A9A7F8EDBE8,SHA256=184A8EFE2B1A73B7731676DDA76C56972C00C339AD62FBFD87D26CE38CEB9979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.728{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\capstone.dllMD5=E472843CBA2FC813C50CF0CD10255314,SHA256=6A43BF7AF886D16027436200CD44EF4111362AA86DE117A90F6101ADC1CD70DA,IMPHASH=0405D64DB47E061FCECA02C7AA3944E8truetrue 23542300x8000000000000000314922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.713{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\base_library.zipMD5=B1717A971886E817F7D77A1AD64EDA77,SHA256=D407016BBF7C48C47F2840867739E8670576A6461ED4A4CB2BF479B920B2976E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000314921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.709{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-utility-l1-1-0.dllMD5=0E856D6A4AF9C791B3E84D07F65C44D2,SHA256=00ECC2C0C699AB8E528F47554DD393F56E5F07B538007F6D499FA1A5B82B3421,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.708{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-time-l1-1-0.dllMD5=47A1F3D4F55113376E2EED5305447E74,SHA256=0B9418BC7CEED49A75799A0808F16252E151106FBE98DFDA44BAD079DBC1887E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.707{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-string-l1-1-0.dllMD5=C0E1DA84E6ED196820A06DDC0F773EDB,SHA256=DDBAC73C9505645E7526E60B4AAA81296B4E8EFD34AA9E81B7590F52F8ADAF90,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-stdio-l1-1-0.dllMD5=4D91DF0A5080BE0B5A041AACA7010D73,SHA256=61C050402388F3EDDA6AFF3388AD0952B79A8AFB8F739DA3426B86939BA3D784,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-runtime-l1-1-0.dllMD5=A195EC3EC8A4B1338533D1F492F83BA8,SHA256=C2F1173A9F345EDB990B99D59AF4DB54C66AB3769215C2AD7C1B51CB26586C0F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-process-l1-1-0.dllMD5=E6994EE954AD1F87AC692276D5D88B49,SHA256=A8A5B4A98C97C86B03D450FCA7425DA03E60E6A07FBC1FF95F8E49C74DE69B13,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-multibyte-l1-1-0.dllMD5=C7137DD69AEA38D216F1785F43CED6E4,SHA256=02B7476E2899CD15DA8421B44485203F504C96870E7CA97AD56224206974475E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-math-l1-1-0.dllMD5=CB35F30DD6A029B01062BA83519669B7,SHA256=EF00BCE29046E7A8FC02C457EB7F3F3D6A5A8B8FCE82458D9880F0306B573EBF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-locale-l1-1-0.dllMD5=35E02A5275ED2F085378CB8176084B2B,SHA256=EC9C2A143354DE7813CEC1E28DC3D8E2CA2BE86731DC8585FA8F8AFDC2BC888E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-heap-l1-1-0.dllMD5=04936CBA5F2D9BA40C3E266824C231E5,SHA256=3F93421FC454937C6F35F48818D72B8E39DBA5D0FBC532DC83DCA55F3D203977,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-filesystem-l1-1-0.dllMD5=17A90B88C1B5DE0BA44B545DECB82A6E,SHA256=9E997705299430DBB57B202D81D5719EF9D5270ADE741F1BBF2E2AD40AEA087C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-environment-l1-1-0.dllMD5=BBE2AEFB77C6B261BAC6B26E512A6E7D,SHA256=5EFA4DFBB7DA525EE1DA0F011913B8846CCA53AC7CD23986E5170957E05DC277,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-convert-l1-1-0.dllMD5=ED15EF84534E2FA66367E6C4C9CB7CC9,SHA256=A1393AEB73C32CAA5052A76897558B5475C1F396C5476387BA8D7BF3F471BD21,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-crt-conio-l1-1-0.dllMD5=E92CFDB8C9C51A6C71C5C54806523E90,SHA256=A808E1F0F9C07ED2F8A79E3FEDF5D38F609F7D0133BF389297792BBDADAB4AD9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-util-l1-1-0.dllMD5=D33BF473059047AAACC520A8DBA40B89,SHA256=D9266824E1BA2A0530D7B29D8E85B70177105FDC0358329C9039FFD49A374BDE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-timezone-l1-1-0.dllMD5=75AB723020AC262B6B5669B9BE0239C4,SHA256=AF9BB3FF8B02B16A5AD1897DB329BB934D07DC081984044373F2D1AC03532907,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-sysinfo-l1-1-0.dllMD5=1CAB2F6B242DE038F945A64E10A120B3,SHA256=F8A1C96370184068DC7299B92096536F51EB8275BB4840450A90C708E29C0F8B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.692{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-synch-l1-2-0.dllMD5=DD97DF009BAA58CDA29F91C066CEC650,SHA256=C5AE7F9D384F80B2F11F267323794D7DF241ABF6572456C8350D95F9325B20D7,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000314903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:21.814{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55333-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000314902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-synch-l1-1-0.dllMD5=4AF4A66969482CA9D008E9C873E65C12,SHA256=1717D6A7996178448D5C5B94D77BCA2C38910F4805208AD125B2626F0159E3EE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-string-l1-1-0.dllMD5=8016DA90AB94F09BEE528ED6F8888D48,SHA256=A63DE7EBE8B4715EDADA0E158A9FB4A9D145E38465955CEC271FD35D45DDB085,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-rtlsupport-l1-1-0.dllMD5=4A46FDA4D02BCBDC8F65C5D58331E4FF,SHA256=9431DFA2EDD91E5364B5B03714D12965E206E2DE36D371447FE601D3C7701A77,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-profile-l1-1-0.dllMD5=DD988F470CB5FE9370F928548C123F6B,SHA256=E0F53419E506A1C803AD7B820836313BB6CB84EBC1D79FF237EE52A230CA5E8F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-processthreads-l1-1-1.dllMD5=D4148C6BC8C9881EEDFB64C87375F629,SHA256=6A8AC79A755982C408B86AC6876D0F861C96AD7B3CE203B8951D7D278B113F20,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-processthreads-l1-1-0.dllMD5=F855A04A7EB7AE1C5756CEA828B1ABD8,SHA256=611A0E8F979A1E1BE4CEBC384FE390F2BB370C639A36C30E62F9ADBC5E12319F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-processenvironment-l1-1-0.dllMD5=85AB69F4B594E8AE057267415ED97850,SHA256=F37E8F33ABCE833F5D98C8F406CA9276D6832820DFC99A12A636883D40B7F714,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-namedpipe-l1-1-0.dllMD5=4F38355AE5E8D3F88956D59A7F69465F,SHA256=3A39CB8DF374801700D491436D740DF373623D4740771019C1146E15A9235FFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-memory-l1-1-0.dllMD5=DC54CC3450E734928FA426C7578EFE31,SHA256=1BCE3EDE03AF435397023C8BF2A7297381A8E7EE191CCDC8BB51E124A4871698,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-localization-l1-2-0.dllMD5=5D32A3644D850032038B55546B6D6665,SHA256=BC3972EA34C0DF384E6B1196CDF88C805F7363949E7C92D5CF457FA5114D4512,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-libraryloader-l1-1-0.dllMD5=088C8F4C4EF87B04376DFCBA789083AB,SHA256=D90E6FC57EFB8CEE29DD81591E4A4C9D449208C87C632FCE3633EFB865A69A65,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-interlocked-l1-1-0.dllMD5=0977FE53A468F27750EC2DC76790EEDA,SHA256=C2DADBB53D2F6921BA882CED0E0AFA9F841CE2FE4646BF829C038DBA94E18080,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-heap-l1-1-0.dllMD5=BED468F0C1A1F8358DC24B6E4C3C640E,SHA256=B5FD420888D1FBC706608802D614ECCBE456D665EE5782E0AE4BC58A494032B3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-handle-l1-1-0.dllMD5=910DBE369BACE67BFAEFEA6152B11050,SHA256=69A3044E9FE8EB51C639EA6B22B8AEAB207ABABC7C6FE2220E8D26AAA39203CE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.675{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-file-l2-1-0.dllMD5=5B99824D6509FE5B4F0DC09C3706E4B9,SHA256=2771BF5156CDAF5DDDC234254DC200064C2643EA2368807A965F5574153B4C08,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.660{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-file-l1-2-0.dllMD5=63F88FA59F6CED6EC5BC50B5407B1FC2,SHA256=A179666B529FC407FD16BE148F5F221FD7774773E80A94D747091ACA7D390DA4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.660{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-file-l1-1-0.dllMD5=F5D509A996E81A628D9F8E34EA05ADF7,SHA256=E6BEF4D6B566DFBDA75DEFAB9229E11FC0F165AEE0CEB594BDD5059D749E14AB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.660{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-errorhandling-l1-1-0.dllMD5=C2682307BF81DAD53677995C76798B0E,SHA256=4084E648B26B93D6A5A935198FA3156C5D3455ECE6776548F6C25334684CC628,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.660{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-debug-l1-1-0.dllMD5=93CB42CDAA2B39D0DB24CDD2F0424755,SHA256=062EEBB21FB815A5F04CD40D6A18F34FDA54B0874825B458CA1A7E8389175F51,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.660{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-datetime-l1-1-0.dllMD5=9F5BD748E1D5135935B5E37DB76C4536,SHA256=EE4C248EF69285CE873748DAAAD48355EE5F4A07B6A9B315848CBB51DA5F75EC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.660{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\api-ms-win-core-console-l1-1-0.dllMD5=014AF7FC0A314E14F5F72E81ED5286B8,SHA256=34D8BBFCFE575279B4839EF71533EE3552A90EF6B8A33CCAEA7B3A96A8EF7CC2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000314881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.660{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\annotation.uiMD5=31723244771B7EDE93FA9B980C97C363,SHA256=614BECD0F8EC40FB416B8AD16DAF06C297078B1A020E443A7AD19DFA3A3CDA91,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000314880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.660{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D02CE\VirtualDesktopBinary Data 534500x8000000000000000314879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.644{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe 13241300x8000000000000000314878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.644{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080230\VirtualDesktopBinary Data 13241300x8000000000000000314877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.644{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000005028A\VirtualDesktopBinary Data 12241200x8000000000000000314876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:24.589{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000005028A 13241300x8000000000000000314875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.571{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000314874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.571{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Nqzvavfgengbe\Qbjaybnqf\dvrj-i1.2.1-jva-nzq64-3.6\dvrj.rkrBinary Data 13241300x8000000000000000314873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.460{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000314872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.444{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000314871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:24.444{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x8000000000000000314870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.444{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.444{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.444{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.444{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.444{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.444{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.444{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.891{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AE06D09F9C6984B5873ECD4DCCB3CA41,SHA256=7B1D81030B22929A4B499E4A0F4563CD4895E33E4FB8023718D27CB6CFB0F176,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:25.126{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:25.124{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:25.121{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:25.118{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:25.117{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000303033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:25.050{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A03B6F7A9719F685289362D2B5D4661,SHA256=C9E2DA920E41BA9127BEBF0BFA6EBC0AA08410F6A71A2B8EDC045FF13D4607EA,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000315062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.345{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe 734700x8000000000000000315061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.329{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.329{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x8000000000000000315059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.329{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_win32sysloader.pydMD5=7866D8E4272C6F0AE60E87E99228FAD4,SHA256=4CC59B23126063A2AB6B8D39F40853C65A5D3F16FC995F7C453AD7309AD6FB4F,IMPHASH=48BCCD8BC796C2EDDEA408EB34D64CE9truetrue 23542300x8000000000000000315058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.329{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_ssl.pydMD5=A08F898141CC4307430EB9D15D2E6B35,SHA256=B38D1F30AE89E6E1513BAF4684F79B0DA9E1C38E611C1180EB3276D0D31375B8,IMPHASH=7DBAD4458175F6957D3A37BD1E80650Btruetrue 23542300x8000000000000000315057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.313{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_socket.pydMD5=96F7EDE883C66710284AE5A3B7B155B4,SHA256=CA5787032B88940C805189829701B0BA6C7517DC887ED02097432F6C9427DA29,IMPHASH=D6340774B66C15AB4D7796B74D07AB3Atruetrue 23542300x8000000000000000315056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.312{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_multiprocessing.pydMD5=59DD9C5897DC5F9D4CA80E65A70FDFE8,SHA256=B5BFA8DD12DA0D2201CF71C18296133D571458A860B2AB8A483891D2E1E4CBF1,IMPHASH=D2AA19D89A1EA123652BA0CD46574A92truetrue 23542300x8000000000000000315055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.311{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_lzma.pydMD5=949D49B6E982F10B8DE11D2982FEA148,SHA256=5213EBF5C5793EC7C248B0470824EA243C85E12299FB9EC4C764AC23BB3BB370,IMPHASH=35ED7CA5A25F3958D077EDCF889B00C8truetrue 23542300x8000000000000000315054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.307{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_hashlib.pydMD5=5DF4C1D720D5E5D6EA53E57193EEA67C,SHA256=8213FD3643C7052149FA25F54C7E2222CF122A4BEBF22EA75ADCD228650A98F8,IMPHASH=DC93C760EDE2C9DC9BA5F2A0B93CF4E7truetrue 23542300x8000000000000000315053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.291{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_elementtree.pydMD5=403AA165570F5E2C006D9DE9F9B008E0,SHA256=955A0A82294FE68F9E810745EF16BDE0706960E035A8242C978DEC3C20D82848,IMPHASH=E9072105262765658CF228E309BB6B52truetrue 23542300x8000000000000000315052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.291{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_decimal.pydMD5=19581D1F8CFAF27FD95475E57316F404,SHA256=494D5CA4E50363D7EF0DF3EBD6C02E67C03AEA249AAD43C3572DDC3FCD26964D,IMPHASH=5B66F20F6E4E26B13C2B7322702E6128truetrue 23542300x8000000000000000315051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.276{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_ctypes.pydMD5=CD42D7C9FD7DE00BC7530A44702B78A8,SHA256=FF877522DCA06E06ECE5E2ACD19908D2FC7D914F93A89C6974E91DAB69B3EB2F,IMPHASH=D92AF97773D5B5CF0581660DBABC4B59truetrue 23542300x8000000000000000315050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.276{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\_bz2.pydMD5=7207A2C54FA21449F48A603E3203F5A6,SHA256=D5662E4E394F96EB11790113A34AB0948ADDFC9C1090831EDBADAF8F19E04C0D,IMPHASH=AC710E6CB4F385078CB4AC3E4FCC7E96truetrue 23542300x8000000000000000315049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.276{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\win32wnet.pydMD5=860BF386FBCFCB5329EB6ADD445597AA,SHA256=3AF9B3E44494AD778546DD5FBF88124C8A762DA238C861338C2359F4C5509EB3,IMPHASH=1682C60F5AA8CA697399C7DD2C1EB780truetrue 23542300x8000000000000000315048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.276{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\win32ui.pydMD5=6185F739B4C7A916CE52DB0ACCEF1293,SHA256=46D9E63DE44816C1735519A68008F1F90416DB447FB078D5ADA3BEF6205175F3,IMPHASH=8284179A2DC6058CC0EA67F09AF107E1truetrue 23542300x8000000000000000315047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.260{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\win32trace.pydMD5=8969664A3122FF6289C81DDF802BF7DE,SHA256=D52F88023A5812105FAE70CCA05D16B0F81751457765031B0E07C4C75669714A,IMPHASH=BC6110C95959FE7A493FA30D8667A041truetrue 23542300x8000000000000000315046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.260{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\win32com.shell.shell.pydMD5=821FAC3F21F5B601FB59697838BCF88C,SHA256=AFD330DFB8A9DFA8D09F833D2D9EBEAB143E2799896B27EE779520D6946A9817,IMPHASH=61135085ACC7C7FEECBAD847FF114D55truetrue 23542300x8000000000000000315045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.260{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\win32api.pydMD5=D6AFCD4FFD613D4E237C210C4907E407,SHA256=612958EF39C5AB55D29E1DE150F1EC7EBF456E30045D8C1E2CBD66847363DDB9,IMPHASH=D6C1CBF0DAA5FE76C75FCC0B8C165A5Atruetrue 23542300x8000000000000000315044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.260{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\VCRUNTIME140.dllMD5=EDF9D5C18111D82CF10EC99F6AFA6B47,SHA256=D89C7B863FC1AC3A179D45D5FE1B9FD35FB6FBD45171CA68D0D68AB1C1AD04FB,IMPHASH=F49AC71A58DD00B20FFF27FD20515FFFtruetrue 23542300x8000000000000000315043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.260{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\unpack.uiMD5=8627814E9CA15FCD0A78FB3F6DD2A63C,SHA256=07A5BACB5BE6ECB9D9623CE228926946AADAF01EBD9F64004C517C046323D7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.260{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\unicodedata.pydMD5=52CCD5EC3720301095A486DB3E93C70B,SHA256=C40BF172DECE435459244680FBBDB565DCDBD9F1AEACD7159734A03FC22D8478,IMPHASH=E75855F8972A068807D0FBCDC5903791truetrue 23542300x8000000000000000315041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.245{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\ucrtbase.dllMD5=60606071BF033275377FD66A2A7DE09C,SHA256=4EACE6C996A2ED322BD43810DB9FB64E20114682F4B71FCD4031215F803F5F47,IMPHASH=9ECEFC879760392702702411B32C11D8truetrue 23542300x8000000000000000315040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.229{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\sip.pydMD5=1CD4DB6DC4CBFC50ECDF21500B671EA3,SHA256=27FF605866FC1674ECCC059F29CC942CF75CDD8F1C4F09E0E27A24DF8C250733,IMPHASH=3357F52CDA36992BE86FA280DF53356Btruetrue 23542300x8000000000000000315039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.229{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\select.pydMD5=0504A418C35F03022AAD4DF38DAC6009,SHA256=2BA0BDFB4BA11946CB907CC006E5A93F5DF34A0DD2CE77364EFEDEAB820793EF,IMPHASH=A35958563A17BFE8237D5200F181BFE8truetrue 23542300x8000000000000000315038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.229{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\search.uiMD5=AC18343021686FCF5DA7B8297565CE58,SHA256=D8F1FA1A2A49EC769A38719877803F33789D17BC63BCB415B2B0FB78B6DDF3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.229{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\Qt5Widgets.dllMD5=B576C9CFCE3BBD2BDE1A834C4127C606,SHA256=9453CC11FB3AD8201E37CBBF9725F08A48E48AEB43A8C076D369B5EC01D428A5,IMPHASH=AC982A9AAC0BE118E3597F1A1D004C87truetrue 23542300x8000000000000000315036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.175{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\Qt5Svg.dllMD5=E08DFD1B614269173E3F3C587516140E,SHA256=4DF2ED62622A13964811A40E2FC3C8681A0F07FB64CAF6E16BC393355DD9F06D,IMPHASH=BC0C65D7C14B357F4928823F841057CFtruetrue 23542300x8000000000000000315035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.175{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\Qt5PrintSupport.dllMD5=C478ABF475BCB683D96181D39668897F,SHA256=42C50EA5C8CEF12AAE861C85E401EA5CA271722BCDAEE53B1BB4FDBAEA1D6AC4,IMPHASH=F12D2BCB2DDA76472CF4845FEC137E15truetrue 23542300x8000000000000000315034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.175{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\Qt5Gui.dllMD5=D34667CD48AEB8676D446ADE12F82551,SHA256=08D6FCA27BE6217A5B572B4DB9F6AB51D4C985AC7AECCE8FCAD5A10FB56C7377,IMPHASH=26D8652AE9DDC80B766E24B7ECAB4849truetrue 23542300x8000000000000000315033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.113{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\Qt5Core.dllMD5=3C3004F1CE51215B1E1244E1836476AB,SHA256=3A3DCEEFD063176D58CD6D83D0F8B09EE5877C659E4470C24310F44F45EBCB36,IMPHASH=2750494AE435DF49B788A63BB96C482Ftruetrue 23542300x8000000000000000315032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.059{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\qiew.exe.manifestMD5=5FE4014E10A5870674988E9F21DF55E3,SHA256=7149FF2DAD37E46D99C202C90FF7A3BE0E3DC297EF79C3DE708CE568ED633ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.059{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\pywintypes36.dllMD5=7482DB17926A3920EE08231FECB69485,SHA256=6AEEBE534B6984DBA374CAD505350DD3714EEC9E18907DFBA3C30E4032A50E4D,IMPHASH=B57382830CBA1D74406F7AB734830BC5truetrue 23542300x8000000000000000315030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.059{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\pythoncom36.dllMD5=CF0C65048EB2FA97B378465D3942025E,SHA256=9ACF41F2C1CF14B2A10CC5E318BF9EFFFDA48BC7B91775ED5EE229EE9C34C872,IMPHASH=B1D909175AF2D398B52B5D004B23C28Btruetrue 23542300x8000000000000000315029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.059{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\python36.dllMD5=DC8117A884DDEEAFA84E3ED005D63523,SHA256=1B8EDB9A1E6ABB18CB501852872544B58F298630D2513283FF475337625E23CC,IMPHASH=51AC319EE2317AE549D9C07EAA997DD3truetrue 23542300x8000000000000000315028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.044{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921A122A2D64995274B3B938961C43A1,SHA256=81D28D5C1583BA1884F38937ACB04DC1589B4F7015DED06BD8252AD5EB5BE016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.028{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\python3.dllMD5=E507D7290F2D042A74E8AFD1882DC3F8,SHA256=BBBFBA910D4ABC8836258F2804570CC4074239E9C6F754BE439742DEEAF3D32D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000315026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:25.013{F6DB49F2-D257-6305-0001-000000007602}5416WIN-HOST-CTUS-A\AdministratorC:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_MEI54162\PyQt5.QtWidgets.pydMD5=79622C46298B22E8C929C07328E98A0E,SHA256=998693274578490ECF8AD7174729BA5F8F1AFA498EE6F3D32DE75A9AFA577A11,IMPHASH=2C5CE4E65D8977EE568C976A48BED713truetrue 23542300x8000000000000000315067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:26.991{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCF25F52191DBF6D27A987F547DF80B,SHA256=33657DF4DD751864F27391D97B4F081FF9B08F4ED76D7ABF931AA45F6FE66CCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.781{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.781{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.781{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.773{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000303045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.773{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000303044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.772{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000303043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.768{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000303042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.768{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000303041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.768{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000303040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.767{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000303039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.127{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756407A1512645A70D81B3734E9A53BE,SHA256=FED9C4E5647F30902BB1C36C437061A05A64F22158427627E1823B17AAC6567A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.887{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55335-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000315065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:24.109{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55334-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000315064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:26.144{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D93499574E177F80EC70BC62129629,SHA256=ED0BAB47153F0647BD67C53E986A2FFAF715B55EF2C26C1A571CDA753E44A1B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.816{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.813{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.811{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.809{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.806{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.803{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.802{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.794{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.780{D25361F1-D01B-6305-0D00-000000007502}8841336C:\Windows\system32\svchost.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.772{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.765{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.755{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.737{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.731{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.720{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.714{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.712{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.702{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.700{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.697{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.696{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.694{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.693{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000303055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.324{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71EC9DB5EF7780B40B83D5C3B187841E,SHA256=71CB5A80085EAB573BE5B0B3810D883AB1D0B5707A86ADC98C5DC90CEE788E47,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000315079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:27.576{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000315078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:27.576{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Abgrcnq++\abgrcnq++.rkrBinary Data 13241300x8000000000000000315077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:27.443{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000315076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:27.443{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x8000000000000000315075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:27.443{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:27.443{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:27.443{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000315072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:27.428{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x8000000000000000315071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:27.428{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:27.428{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:27.428{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:27.428{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.185{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.183{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.172{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.171{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:27.160{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000303080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:28.407{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEB8C62DAC6C5D2670471CEC7464CC5,SHA256=2E159C7734D69709F815C54DED301120DB455C148967AF28FF12227FF7C608CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:26.395{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55336-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000315080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:28.075{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41552C93CE39E3A5BE079F7E357869E0,SHA256=B5EAB22E8C7061260993AFF1EC8AB637DFFCE88E06268A9628B3C53A6DDACC5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:26.727{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61509-false10.0.1.12-8000- 23542300x8000000000000000303081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:29.540{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170CA843505756138495D8CC9641BAE9,SHA256=36C76D5F57B511785D7020D967653425E99EF0BC6E433E574B133E3DC5673D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:29.176{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB99E634A7B05267B0434865956EA67,SHA256=D76147226ABE438E3945871830B44C6609172A0E6097F84B6AFCC1F8D333E1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:30.640{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A4D7C1A5D75B9AD76D6242037AFC68,SHA256=895B7EA159C62047AB7375B0F345860DAF93248B53AB04CC48B15907C1997ABC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:28.592{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55337-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 13241300x8000000000000000315085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:30.578{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000315084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:30.578{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x8000000000000000315083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:30.310{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA127EB74DAF79E3487556D6CE67BF55,SHA256=C083A0F1A52E38E36ED2F8E246B7FFAABE5AD2B2305134948B4480B44BE2FB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:31.761{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871B4FF14CEB5A917B2A5FBFA12CB421,SHA256=26C641766B2CE34BF049BB42FADCEF194730E9A3F1DA47AD623723BF26315198,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000315120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:31.445{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000003015A 13241300x8000000000000000315119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.445{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000003015A\VirtualDesktopBinary Data 13241300x8000000000000000315118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.413{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000315117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.413{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000315116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.413{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x8000000000000000315115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000315114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000315113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000315112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000315111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000315110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000315109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000315108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000315107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000315106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.408{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000315105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.392{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x8000000000000000315104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:31.392{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:31.392{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:31.392{F6DB49F2-D1AD-6305-C400-000000007602}32724344C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:31.392{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:31.392{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}32724104C:\Windows\Explorer.EXE{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000315097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000315096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000315095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000315094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000315093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x8000000000000000315092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000315091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000315090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKeyDWORD (0x00000000) 13241300x8000000000000000315089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmdDWORD (0x00000001) 13241300x8000000000000000315088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:31.376{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlagsDWORD (0x00000000) 23542300x8000000000000000315087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:31.345{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED7092A181CB9F27D27DC8E438C8D1E,SHA256=EFB01B6EBDD221822E0E4431C3C0A3C0978F6F3E135B36379A964DDB0E476ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:30.878{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55338-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000315122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:30.873{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55339-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:32.757{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519E499F6BA34D8DE76DF219524674B9,SHA256=D4CFB7EAFA9F124083DD00E5608E58E1B42B253D3799E9EBAB73EEB9BD96FAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:32.806{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5AA7F60060A81AAA4765C32FC70C63,SHA256=EB4CE8D93E8DFB0B7882CC5D5A1F10505FE42CAE6610E2074D4EFBD445EB8E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:33.909{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544F4CEE2E1EFEBD9F7BC8C9D8A2B671,SHA256=EF7309A4D81D1D6903C3282F1B7B80BCA74405BC3B48E9370CFF00DC7824C11F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:32.590{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61510-false10.0.1.12-8000- 23542300x8000000000000000303085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:34.023{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F167DBC6ADA4944B25048480F4ADFA8,SHA256=274233B968A167ED9CA00DEC1DD643BF47C87EEA51C3B5FB7ED651E29807D2F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:34.990{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E78DAC7587EE9E89271762FEBC9664,SHA256=F831AF21B0FEA9303B0CD49D4A7FD7850B4480603573425D763F9CA2A2A7E53D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000315133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:34.959{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\(Default)Binary Data 13241300x8000000000000000315132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:34.959{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000315131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:34.959{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000315130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteValue2022-08-24 10:09:34.959{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x8000000000000000315129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:34.959{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000315128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:34.959{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x8000000000000000315127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteValue2022-08-24 10:09:34.959{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 13241300x8000000000000000315126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:34.406{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000315125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:34.406{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Abgrcnq++\abgrcnq++.rkrBinary Data 23542300x8000000000000000303087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:35.241{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587BB18B6D464A8808D8760B16E944B8,SHA256=66037D379C470DD33141249FE0BB3560DAC4FF8BDF8F2816593EB0DAB8B19D17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.997{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.989{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.984{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.978{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 354300x8000000000000000315232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:33.146{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55340-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.359{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42643493FAB1FDD39226609415DEDFC0,SHA256=9A6543DC1AA762A3916C82A9656B4402DC328536E7E31C0E8480B5DD72D2C0D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.259{F6DB49F2-D1AD-6305-C400-000000007602}3272WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=9EC54C10A6A9569B57E4FFE729306AB0,SHA256=02A66001A2322BD927F0FB8B8135C3E619D21B162515C0E1E5987DFCF7B162E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000315226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.243{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000315215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000315214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000315213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 10341000x8000000000000000315212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.228{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 10341000x8000000000000000315210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.228{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000315209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.228{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\Control Panel\Desktop\LastUpdatedDWORD (0xffffffff) 734700x8000000000000000315208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000315207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 12241200x8000000000000000315206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\Remote\2\Control Panel\Desktop 12241200x8000000000000000315205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\Remote\2 734700x8000000000000000315204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.212{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=8D873A5A85B7C0BEC189690C3A24735E,SHA256=69FC48A08079F23D165E0F86209174784D73DF02B07897B59A64F0A8C9900CA1,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 12241200x8000000000000000315203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\Remote\2\Control Panel\Desktop\WindowMetrics 12241200x8000000000000000315202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteKey2022-08-24 10:09:35.228{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Remote\2 734700x8000000000000000315201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.207{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000315200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-D01D-6305-1000-000000007602}9242556C:\Windows\system32\svchost.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-D01D-6305-1000-000000007602}9241132C:\Windows\system32\svchost.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000315196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000315195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000315194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000315188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674trueMicrosoft WindowsValid 734700x8000000000000000315184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000315183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.190{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000315179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D1AB-6305-B400-000000007602}16963748C:\Windows\system32\csrss.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000315178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000315175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.167{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{F6DB49F2-D1AC-6305-A5D1-0F0000000000}0xfd1a52HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000315163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\System32\svchost.exeC:\Windows\System32\wmsgapi.dll10.0.14393.0 (rs1_release.160715-1616)WinLogon IPC ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationWMsgAPI.DLLMD5=F057E6CFED6521141F9E2AA786FEBF9E,SHA256=FE15ADCBC8E9B129BC09FEC47A89A487F5D9E537DC05674C413A8D9D84860535,IMPHASH=0070F559678E041C453782364C13F0C2trueMicrosoft WindowsValid 734700x8000000000000000315160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.175{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\System32\svchost.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release_inmarket.220514-1756)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=5E5738CA2D1A3253227821082EDF3B22,SHA256=A8240C2690B6EF5B8792E8F2BAEC6F282445073EFEA17D275D16F7A5079DAF56,IMPHASH=D73DA1D2C74E22057889487739A1CF17trueMicrosoft WindowsValid 10341000x8000000000000000315159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D01C-6305-0C00-000000007602}7202936C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.159{F6DB49F2-D1AD-6305-C400-000000007602}32721860C:\Windows\Explorer.EXE{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.143{F6DB49F2-D1AD-6305-C400-000000007602}32721860C:\Windows\Explorer.EXE{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000315148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.143{F6DB49F2-D1AB-6305-B400-000000007602}1696C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC\DeviceKindDWORD (0x00000000) 13241300x8000000000000000315147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.143{F6DB49F2-D1AB-6305-B400-000000007602}1696C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC\IsTabletPCDWORD (0x00000000) 13241300x8000000000000000315146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.143{F6DB49F2-D1AB-6305-B400-000000007602}1696C:\Windows\system32\csrss.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Tablet PC\IsTabletPCDWORD (0x00000000) 13241300x8000000000000000315145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.143{F6DB49F2-D1AB-6305-B400-000000007602}1696C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 13241300x8000000000000000315144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.143{F6DB49F2-D1AB-6305-B400-000000007602}1696C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\NonPreserve\LastAutoRequestDWORD (0x00000000) 10341000x8000000000000000315143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.090{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.090{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000315141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.028{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\(Default)Binary Data 13241300x8000000000000000315140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.028{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000315139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.028{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000315138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteValue2022-08-24 10:09:35.028{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x8000000000000000315137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.028{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x8000000000000000315136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:09:35.028{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x8000000000000000315135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-DeleteValue2022-08-24 10:09:35.028{F6DB49F2-D000-6305-0100-000000007602}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 23542300x8000000000000000303088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:36.342{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9CFCA0AB70874104B5E413672718D3A,SHA256=8408C28B267695E7E1DB1E681E23B6139566AA3F474B610E737970411A4BF985,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:35.346{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55341-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.629{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6BA31B469C74BBA9E31A0E402B057E,SHA256=EFB9414F25D89A5C4A8B136671AD9D5328B6F1B3397891F3000FD968AD4F6B8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.582{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.580{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.578{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.576{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.574{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.570{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.568{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.566{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.562{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.559{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.557{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.551{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.537{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.536{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.535{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.534{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.525{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.516{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.499{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.492{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.485{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.481{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.479{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000315282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.478{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96765AD2A95F6E9B97EF0ADFF2101C7,SHA256=F2C194E494A998066205D0FEF13E08A7775640C38EA7C090724A97310D783F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.478{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4171909B1361AC921AF1F62B6F2D307E,SHA256=C6A8E5258B5359C7282F4381D1B1C59672D3D88F06CB826DF7BCF4AAA307F195,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.477{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.164{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.158{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.158{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.157{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.155{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.154{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.152{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.149{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.143{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.141{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.138{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.132{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.131{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0A00-000000007602}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.131{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0A00-000000007602}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.131{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.131{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0A00-000000007602}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.130{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0A00-000000007602}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.129{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.129{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.129{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0A00-000000007602}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.129{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0A00-000000007602}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.127{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.126{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.124{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.124{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.123{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.117{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.116{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.116{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F8DF-6305-DF05-000000007602}1684C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.105{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.098{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.085{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.077{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.072{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.072{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.066{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.050{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.050{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000315239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.034{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.014{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000315237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.006{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000303090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:37.558{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BFD8EDFDCE96FB93A645AF79CD00A02F,SHA256=5D845F3E65E24B865E52DADF7F901F81293E6D976B88B6B617FED224A5AD5CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:37.474{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB70208FCE549F8306F097C2D793B7EC,SHA256=5559643198745C426F489FD9409D65F1C7546B5A01B3DEEA72B12C95C981CDF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:37.129{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66638D7D8ADBA675E39C1296F24D12B3,SHA256=E5CB64117F177B472DD4562D2D65F1ECBB15B5BAE8C0FA973407F3B6B1A8EDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:38.504{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A1386CD12F710C6592062685E7E720,SHA256=C8EBD4997FD834949A23FBE65A683B5A5989A99A25F4D15C86ACFC84567B4664,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:36.873{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55342-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000315319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.335{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.335{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.335{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.327{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000315315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.327{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000315314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.326{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000315313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.322{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000315312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.322{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000315311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.322{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000315310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.321{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:38.228{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D1A6CB9C0AE1020617F849611D69F3,SHA256=78E622EAE391D28BA276423B0DB59AB1A0940AAEEFF9EEDABA168A3832236675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:39.623{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B18EB1E3FE2C4F3894016BE33F7C46,SHA256=6CDFB5DF036DB9F616E9C282483ADF13030B586D9F8CC2AE4774FB7BF64C0666,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:37.530{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55343-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000315322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:39.344{F6DB49F2-D01C-6305-0D00-000000007602}7686032C:\Windows\system32\svchost.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:39.312{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349ED782F579C5BB53ADCE8920D91E9B,SHA256=1070EDE32D4C5CB6BD5BFB44E1D5049B13196C7D1C48E28255E088FE8049A0D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:38.559{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61511-false10.0.1.12-8000- 23542300x8000000000000000303093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:40.740{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC9927F28A743F456781AF1566C5CD3,SHA256=6A3153E540718E1984064CC0CF6CD96DE4EC7060E615685FF09FB2D5C3D9A5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:40.410{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237B812AD9E17E0BAA1995950C8D1916,SHA256=BDE9073D333DB35A3F8429D8086B28DC54C23960892838BCCFEE5746B7869018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:40.128{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\datareporting\glean\db\data.safe.binMD5=61AFD4F8A5C154E2F8279DB1249904C7,SHA256=D129D41C5CC781D0EE234E944FB223BB4A32B49D4C032B551BA2C6D03A8DC578,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000303109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.836{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SpringsCSSSpanBinary Data 13241300x8000000000000000303108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.836{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SearchbarCSSSpanBinary Data 13241300x8000000000000000303107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.836{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|UrlbarCSSSpanBinary Data 13241300x8000000000000000303106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.836{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|CssToDevPixelScalingBinary Data 13241300x8000000000000000303105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.835{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|FlagsDWORD (0x00000002) 13241300x8000000000000000303104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.835{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|MaximizedDWORD (0x00000000) 13241300x8000000000000000303103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.835{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|HeightDWORD (0x0000039c) 13241300x8000000000000000303102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.835{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|WidthDWORD (0x00000490) 13241300x8000000000000000303101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.835{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenYDWORD (0x00000004) 13241300x8000000000000000303100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.835{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenXDWORD (0x00000004) 23542300x8000000000000000303099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:41.765{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26693D5D8230C25791290D4AA7AEF79C,SHA256=4C826D9B938BFC24A61A4695877972E70FB12BB774700F7DDE0E2276D59E66FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:39.830{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55344-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000315326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:41.528{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC53E20308C8FB395E95E1359B06FC52,SHA256=D08935AA23C7B6C3E78928F914D9B06101A56C58D1D308613158228FA36A4F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:41.475{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B50AB0BDCA9AB8DAB18E73CF4B062C44,SHA256=3A8697D0588B6261E5D68353428AAB6D6BF2124393372A00951CE19A467A0678,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:41.341{D25361F1-D52F-6305-3F01-000000007502}49442528C:\Program Files\Mozilla Firefox\firefox.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26ac0|C:\Program Files\Mozilla Firefox\xul.dll+e79544|C:\Program Files\Mozilla Firefox\xul.dll+e79a37|C:\Program Files\Mozilla Firefox\xul.dll+864e85|C:\Program Files\Mozilla Firefox\xul.dll+85816a|C:\Program Files\Mozilla Firefox\xul.dll+1a49d61|C:\Program Files\Mozilla Firefox\xul.dll+1a49083|C:\Program Files\Mozilla Firefox\xul.dll+1799e0b|C:\Program Files\Mozilla Firefox\xul.dll+1a6fcad|C:\Program Files\Mozilla Firefox\xul.dll+9ea65f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+184a38|C:\Program Files\Mozilla Firefox\xul.dll+1839bf|C:\Program Files\Mozilla Firefox\xul.dll+4488b41|C:\Program Files\Mozilla Firefox\xul.dll+44f3ab2|C:\Program Files\Mozilla Firefox\xul.dll+44f48dc|C:\Program Files\Mozilla Firefox\xul.dll+1f94df3|C:\Program Files\Mozilla Firefox\firefox.exe+19c6e|C:\Program Files\Mozilla Firefox\firefox.exe+27b38|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000303096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:41.323{D25361F1-D528-6305-3A01-000000007502}4760ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000303095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:41.323{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PUUActiveBinary Data 23542300x8000000000000000303110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:42.859{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FED944BC72DC1B36529BC521E7CD72,SHA256=5D26188DD679E17423E4C049119A337F446B43A4495925434997B013CBF5926A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:42.827{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1AA5CDD9A055CC5C42FA879D551F9588,SHA256=CFC2F07EBABEFFBF0D3508C1038D3FBDB74F010D2B8A4450C6916067656ACC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:42.658{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754CB76463D144472D83AF0D2F45C05A,SHA256=1EAFA9A75B0AC044E48F6F47927C743BAD2D54A72627C9FAC7FF8CB7FBD64D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:43.990{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BDFD79D2028A779A95EF10AAE4744A,SHA256=91E3009544D4D07C7E53A2836D6C611700F13DC4736D6B33388C02C89A50F119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:43.758{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51B1ACC3921CDDEA1CD020D71E48661,SHA256=8D8D2849C5F6F51791E8C159006DC6F46CB2367608FBD1C4D6CDCA8B3C02CE65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:44.906{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE415F7DFBAEBE66468EA7F5AF148FC,SHA256=5CBACB470EA1840139C0F34AC4432F108F577E0E4840C28B342363E630FC7F54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.683{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.677{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.674{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.670{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.667{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.631{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.621{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.609{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.602{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.591{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.577{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.565{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.551{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.539{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.532{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.520{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.472{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.470{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 13241300x8000000000000000303121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000303120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00a00eca) 13241300x8000000000000000303119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b799-0x3ff65771) 13241300x8000000000000000303118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a1-0xa1babf71) 13241300x8000000000000000303117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7aa-0x037f2771) 13241300x8000000000000000303116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000303115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00a00eca) 13241300x8000000000000000303114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b799-0x3ff65771) 13241300x8000000000000000303113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a1-0xa1babf71) 13241300x8000000000000000303112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:44.358{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7aa-0x037f2771) 23542300x8000000000000000315333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:44.226{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:42.144{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55346-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000315331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:41.889{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55345-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x8000000000000000303215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.718{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.702{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x8000000000000000303213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.687{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\networkexplorer.dll10.0.14393.0 (rs1_release.160715-1616)Network ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkExplorer.DLLMD5=889484BE2979D3C693D194BF4E5F2C82,SHA256=BC046600D8B8DA1652AD584DFAC4D799D4E772BFAF833C50B8F2F91D7D65D6B6,IMPHASH=82DF5355ECE040AB2EB1CF3A3223A564trueMicrosoft WindowsValid 13241300x8000000000000000303212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.671{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.671{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.652{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000003016A\VirtualDesktopBinary Data 23542300x8000000000000000303209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.639{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=26B2E5419A59C3D69E492377AED2EE4E,SHA256=C3C73A5086AE3A61A2E2E1FAAD08F08933C640B0E3043E03A24DE3CD67460D03,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.553{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FF,IMPHASH=6691D3D33C2662107A11540A5A994674trueMicrosoft WindowsValid 734700x8000000000000000303207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.474{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\UIRibbonRes.dll10.0.14393.2969 (rs1_release.190503-1820)Windows Ribbon Framework ResourcesMicrosoft® Windows® Operating SystemMicrosoft CorporationUIRibbonRes.dllMD5=0E292AC74DFBCBC12876A2B9F1BAD117,SHA256=058A57CF7DE921134A785903FF03CB254F07F901D9561EEFEFFA3597D0CC3BC9,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 13241300x8000000000000000303206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.535{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.535{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.527{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon\QatItemsBinary Data 13241300x8000000000000000303203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.527{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon\MinimizedStateTabletModeOffDWORD (0x00000001) 734700x8000000000000000303202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\UIRibbon.dll10.0.14393.2969 (rs1_release.190503-1820)Windows Ribbon FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationUIRibbon.dllMD5=9D1DA01AD4A8FE3EB9A3AA8C624A3D17,SHA256=CCBCB2185E26DFDCA2F4E1602C30F5765EC1513CCCEE0B78EB4DD8A5E881D6EE,IMPHASH=508BE6EE4D24037F10E1CECBEADF5B04trueMicrosoft WindowsValid 23542300x8000000000000000303201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.443{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A2995EDD838C8E96AD11B82370F7D0BA,SHA256=3852E9731800E6F05DF49EC393CFC4B60CB5589B0E8BE325A5C584559FE38898,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.374{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000303199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.374{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=5F9B6C9B05956273CC91C5E70B2456EE,SHA256=F51014AC7DD24D56F5C22D8EB33DC1385C0A0A038C510B974BDE6068B5F335F9,IMPHASH=9684B8A64BE29AF37E327ADEEC9F0C23trueMicrosoft WindowsValid 734700x8000000000000000303198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.343{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D92AABEAF72AB2FB3B2E2F911477039E,SHA256=300FEBB1EFE1EECA4F535A828104A8F4AEF8FC4785A0456B2D8DA76E7EDAFC96,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 13241300x8000000000000000303197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.390{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.390{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.390{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.390{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.390{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.390{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 734700x8000000000000000303191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.343{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 734700x8000000000000000303190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.343{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\LocationWinPalMisc.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Location Platform Abstraction LayerMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationWinPalMisc.dllMD5=B434A01D82C206E76243212400B20A3E,SHA256=CDE75D0944230BCB6007D8B0C6D1D29B2776E9811D78CC9F5AE8CF32297D41D9,IMPHASH=730A426B73E1A1E9DEB992613138BDDBtrueMicrosoft WindowsValid 734700x8000000000000000303189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.343{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\bi.dll10.0.14393.0 (rs1_release.160715-1616)Background Broker Infrastructure Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbi.dllMD5=60B018C3AAEC6A3994B93BB2EEC673C8,SHA256=F996177E105EE94DA4E3D92722452E34AFE94B2BDB460C94B35D356EFB05B9EE,IMPHASH=13E2C76AF84B189EDFD9672A4188527CtrueMicrosoft WindowsValid 734700x8000000000000000303188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.339{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x8000000000000000303187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.343{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x8000000000000000303186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.322{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\BrokerLib.dll10.0.14393.2007 (rs1_release.171231-1800)Broker Base LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationBrokerLib.dllMD5=AE7A119859A3E93719061D1FA7393506,SHA256=204585F28E2F30BA66216B6ECC121FAE1846A4B3007752CDFEC6D8F31CB8CCC7,IMPHASH=79C2ED0B8E31D7898F6F626E62B946FEtrueMicrosoft WindowsValid 734700x8000000000000000303185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.359{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDC,IMPHASH=AB0E9B104017117F7BE18F3C6AAC279AtrueMicrosoft WindowsValid 734700x8000000000000000303184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.322{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFramework.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Geolocation FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFramework.dllMD5=4AAE63192B9F6390EF18E15BB304CC34,SHA256=159E50D4710E88B8D568727DBB454F88B8DE1D754AD96B22BFAA69267CDE77C0,IMPHASH=CBBE8DF11127E48D9336142086FFBED3trueMicrosoft WindowsValid 13241300x8000000000000000303183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.343{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LaunchCountDWORD (0x0000000c) 13241300x8000000000000000303182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.343{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LastAccessedTimeQWORD (0x01d8b7a1-0xa292ffb0) 734700x8000000000000000303181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.343{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x8000000000000000303180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.343{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x8000000000000000303179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.343{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000303178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.343{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\msftedit.dll10.0.14393.4704 (rs1_release.211004-1917)Rich Text Edit Control, v8.5Microsoft® Windows® Operating SystemMicrosoft CorporationMsftEdit.DLLMD5=76AA789092145B52D12BF1B1E8658294,SHA256=8116A9DDDA0090327E537D1C87EE3C6A1716B6228AD20F71665F0E493ACD47EF,IMPHASH=7C36F76BEB38B735155D539BEBF60532trueMicrosoft WindowsValid 734700x8000000000000000303177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.341{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\policymanager.dll10.0.14393.4169 (rs1_release.210107-1130)Policy Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPolicyManager.dllMD5=58677E3FBF7D29109E8EB578062F1C81,SHA256=F751521EBC10CC1F0BC6AAB2715B9169439A014F178A7D6880080567D880C103,IMPHASH=E1BC13C6E7766D0332C0420A512C2799trueMicrosoft WindowsValid 10341000x8000000000000000303176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.322{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.322{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.322{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.291{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\lfsvc.dll10.0.14393.0 (rs1_release.160715-1616)Geolocation ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationlfsvc.dllMD5=F8EBAA1FE6D3BF84752931DE1BFA0E2A,SHA256=2F3C512712BA709BBBBD779D9E792DBE324876C402CDCEF0345B8B7ABE1D232A,IMPHASH=569F8A3E57C4E0E4B00A007EF79A73AEtrueMicrosoft WindowsValid 734700x8000000000000000303172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.291{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x8000000000000000303171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.276{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1F,IMPHASH=518BBC26E9BA87459E80712401FEE077trueMicrosoft WindowsValid 734700x8000000000000000303170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.276{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\Geolocation.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Geolocation Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationGeolocation.dllMD5=E83A9FA95FC957A6B3BE716D01E5298C,SHA256=B781345F27672F9DEE8B198BC1D44593EDD9ECD06EB654FD023924A398577F12,IMPHASH=1CB15BDFFD09BD7E483469F86B5CAF02trueMicrosoft WindowsValid 734700x8000000000000000303169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.276{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x8000000000000000303168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\Windows.Storage.Search.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Storage.SearchMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.Search.dllMD5=17D1040EDBA639BD1C2F7577D1070498,SHA256=E3F2CF21782C856A639525E84FF3C413C7CD091297C9A248CBC24541E2D76584,IMPHASH=DE60A0BFF7F6069AA615B149D44D1D3FtrueMicrosoft WindowsValid 10341000x8000000000000000303167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.259{D25361F1-D528-6305-3001-000000007502}41844392C:\Windows\system32\taskhostw.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000303166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000303164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 13241300x8000000000000000303162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 13241300x8000000000000000303160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LaunchCountDWORD (0x0000000b) 13241300x8000000000000000303159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LastAccessedTimeQWORD (0x01d8b7a1-0xa292ffb0) 13241300x8000000000000000303158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000303156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 13241300x8000000000000000303154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:45.259{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 734700x8000000000000000303152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.239{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729,IMPHASH=A39738A99E764D3F4E439E2498C99B04trueMicrosoft WindowsValid 734700x8000000000000000303151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.221{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\StructuredQuery.dll7.0.14393.5127 (rs1_release_inmarket.220514-1756)Structured QueryWindows® SearchMicrosoft CorporationStructuredQuery.dllMD5=004D25E64FBEDBEB9B514BF94DA17499,SHA256=3BC118B4B6E0DE7E2902ED1F66EC1A708586F35B3F7C324BF5D4CAFCE11A6818,IMPHASH=870079407DAAD548AC5B3F417EEBB243trueMicrosoft WindowsValid 734700x8000000000000000303150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.205{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Program Files\7-Zip\7-zip.dll22.017-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=C3AF132EA025D289AB4841FC00BB74AF,SHA256=56B1148A7F96F730D7085F90CADDA4980D31CAD527D776545C5223466F9FFB52,IMPHASH=BC6A26B410657FD67B33DDBF731FD14Dfalse-Unavailable 734700x8000000000000000303149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.190{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\synceng.dll10.0.14393.0 (rs1_release.160715-1616)Windows Briefcase EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCENG.DLLMD5=A683B60F1A5FAC27D1173F937403ED1B,SHA256=57450827A7F7D880F236F27A1D92654A3284842226539A26F311CFA736083571,IMPHASH=0A2DBAAA924DBD2D0A4335D1E0E9A7C9trueMicrosoft WindowsValid 734700x8000000000000000303148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.190{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\syncui.dll10.0.14393.2608 (rs1_release.181024-1742)Windows BriefcaseMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCUI.DLLMD5=D3CD7E690590A1AD564C832DFE1A1922,SHA256=F3CB2B362A0970B106D8B5F27F80D019931090D3ED579C72182163502BA212B7,IMPHASH=39745F2E08404A86C1D135E2AB69B2B1trueMicrosoft WindowsValid 734700x8000000000000000303147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.174{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\twext.dll10.0.14393.5192 (rs1_release.220610-1622)Previous Versions property pageMicrosoft® Windows® Operating SystemMicrosoft Corporationtwext.dllMD5=AD23E6F6DDBC81B6BB5846536765DF1E,SHA256=9A3872A585E0F664A12F102E5C4D771A17B583F01FF6A4C9C2A2E0696055B3E7,IMPHASH=29C3BF5A3E76E3AC1BA5E32244E9991FtrueMicrosoft WindowsValid 10341000x8000000000000000303146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.190{D25361F1-D01B-6305-1400-000000007502}10521180C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.160{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.158{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.155{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.150{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.148{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000303140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:45.049{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57E7552CA1D5AAB65161745F53AB083,SHA256=7C86B7E67323FD0E41C382E8D0B0672F0483BC8B6E3FEC2080D4D94A7639FEE4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:45.056{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 734700x8000000000000000315337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:45.041{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000315336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:45.041{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000315335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:45.041{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=4AD8F9F4964B64FBF79D463A5DD6EA3E,SHA256=AC4C94B14924434CA3DEFE224E80D3BFD8B4078841C3DF2268C46CF215AB0F1C,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 354300x8000000000000000303217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:44.542{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61512-false10.0.1.12-8000- 23542300x8000000000000000303216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:46.241{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8A424582CBF688A50B0D3BBB574210,SHA256=8C54141D7F057C3EE25660C2EA7D53570F919C44C0A3854AC436ACBBE08F215C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:46.772{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=62DAC667967D446FA8AA2E65706610CD,SHA256=B31F7C0D216A32AA650E5863F133E37967CD33A136DD8D997C81EE14510EFE6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:43.985{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55347-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000315339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:46.056{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6F8BE988574787510A2986E676E673,SHA256=5FC0762ED73A790A7D0C4BBB6460E99D2CF15E21CBD50274C6CE48E0A908CA1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.885{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.882{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.879{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.876{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.867{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.864{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.861{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.851{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.825{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.817{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.806{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.784{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.773{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.763{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.759{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.757{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.754{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.750{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.744{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.743{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.740{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.739{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000303225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.342{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5BFE202D1EFAEB18584521D4DCD7B0,SHA256=2279091267F3957919EFC867908BA0BC190E15A07EA9C021BDBCB8FC4AAA7D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.269{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\cache2\doomed\11776MD5=F7DBB2C60A3AC3601E81D5046CAB1189,SHA256=2895C910AF01C13C61742F29AD92F5EAFF6177457A3BCF6DBA90A39E782BD017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.269{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\cache2\doomed\21837MD5=179B0E98FD1FB095A7CF2BDA5E41EFDE,SHA256=9951BC84B8D6B114F3F8BF39ACB5BEC461F7F391DE0B7E214FB3186E57A79261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:47.172{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7024A6F9A00D6BBDF1B1B391822EDD,SHA256=6C8781F25AEE48719072F906EB93789C1E8B4505354C25F5C4A6F8680B1D2CA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:44.359{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55348-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000303222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.233{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.231{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.220{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.216{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000303218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:47.206{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 13241300x8000000000000000303289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.659{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.659{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 734700x8000000000000000303287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:48.543{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\EhStorAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorapi.dllMD5=1287D2464B3F71ECC99316991E038B0B,SHA256=7FFA04958C7E76E42712E8D9E03037E3E98E2A6E1A6D277E48A76C55F4E794E8,IMPHASH=33685761AD2886071A8D7CFB81130BEAtrueMicrosoft WindowsValid 13241300x8000000000000000303286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.559{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000303285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.543{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 734700x8000000000000000303284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:48.521{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 13241300x8000000000000000303283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.543{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 734700x8000000000000000303282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:48.490{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\DevDispItemProvider.dll10.0.14393.0 (rs1_release.160715-1616)DeviceItem inproc devquery subsystemMicrosoft® Windows® Operating SystemMicrosoft CorporationDevDispItemProvider.dllMD5=CCDEFAE1F31F9F9AED64686A143D3D0A,SHA256=CF96EB0C3422628398D218152A729221C0F5D09F287E083AE88ECD77DB2C11BC,IMPHASH=B96B407351B4F23871E4087C6E937148trueMicrosoft WindowsValid 734700x8000000000000000303281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:48.490{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=F16F9896C90C06D66C3538AD9DA011F7,SHA256=EF2A5483794B7E4D836393CF2F4C3A065719855C16933D25C219E620BB692A8A,IMPHASH=C336F93278ACA9710F465E21059D5842trueMicrosoft WindowsValid 734700x8000000000000000303280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:48.475{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\dlnashext.dll10.0.14393.4169 (rs1_release.210107-1130)DLNA Namespace DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdlnashext.dllMD5=DB3FEFF8118F622BEF9D5019F07AC2CA,SHA256=83A075102103FAB6DDF5890B01CFD5E74BAB722F24EDA78ED7DCDD55325B7678,IMPHASH=2C687E2BD4D0FE6C08716DC497583D88trueMicrosoft WindowsValid 13241300x8000000000000000303279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.475{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.475{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.475{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.475{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.475{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.475{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000303273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.475{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x8000000000000000303271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000303262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PIDDWORD (0x00000002) 13241300x8000000000000000303261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29} 13241300x8000000000000000303260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupViewDWORD (0xffffffff) 13241300x8000000000000000303259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfoBinary Data 13241300x8000000000000000303258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\SortBinary Data 13241300x8000000000000000303257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSizeDWORD (0x00000030) 13241300x8000000000000000303256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlagsDWORD (0x41200011) 13241300x8000000000000000303255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewModeDWORD (0x00000002) 13241300x8000000000000000303254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ModeDWORD (0x00000006) 13241300x8000000000000000303253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x8000000000000000303252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlagsDWORD (0x41200001) 13241300x8000000000000000303251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\RevDWORD (0x00000000) 13241300x8000000000000000303250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:48.459{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 23542300x8000000000000000303248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:48.302{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4AA4DF1DF35A76011120B53BA4025D,SHA256=DF6C8AB11BC4659B62A50AB00C3AD88334D155FB7636F46FBA88CAFB3E205F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:48.187{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A82D1E03345ACB791DEBDC966ECD21,SHA256=573A725F8FB9DF60D4D929012B0E777EBCF828252DA9FA2DA61C4200EC2F72AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:46.641{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55349-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 13241300x8000000000000000303330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.876{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000303329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.876{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000303328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.876{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.876{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.860{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.860{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.844{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.844{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000303322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.822{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 23542300x8000000000000000303321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:49.822{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA58197F4F24D2B2752468854671355,SHA256=6F6965FA0D42D7E43759ADC7E0C58E69D3CA759EBFE152F169501B154D06E34A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000303320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.807{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000303319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.807{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x8000000000000000303318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.807{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x8000000000000000303317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000303314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000303305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000004) 13241300x8000000000000000303304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{B725F130-47EF-101A-A5F1-02608C9EEBAC} 13241300x8000000000000000303303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0xffffffff) 13241300x8000000000000000303302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x8000000000000000303301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x8000000000000000303300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000030) 13241300x8000000000000000303299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x8000000000000000303298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000002) 13241300x8000000000000000303297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000006) 13241300x8000000000000000303296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x8000000000000000303295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x8000000000000000303294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 13241300x8000000000000000303293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:49.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 734700x8000000000000000303291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:49.775{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x8000000000000000303290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:49.775{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 354300x8000000000000000315347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:46.905{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55350-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:49.186{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D747213DCE0EB2911258E77C50D1111,SHA256=9A812123FB2CBEDB2413D632CEB62203D27A78053FC5ECEE0887E3F361111430,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000303377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000303376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000303375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000303374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000303373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000303372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 13241300x8000000000000000303371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.975{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.975{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.975{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x8000000000000000303368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-D525-6305-2201-000000007502}8201008C:\Windows\system32\csrss.exe{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000303367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6CtrueMicrosoft WindowsValid 10341000x8000000000000000303366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000303361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000303360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.979{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D25361F1-D527-6305-3399-180000000000}0x1899332HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x8000000000000000303359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.959{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000303358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.959{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 23542300x8000000000000000303357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.959{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DB26B3044042FDF2D3806F2DDFE0CD,SHA256=42248A9ED77490A985DD6E80AC3C5CEA7BBD0DF3E06D959B2913DDB25DE5EC58,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000303356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000303353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000303348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000303347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000303346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000303345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000303344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000303343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000303342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200011) 13241300x8000000000000000303341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000303340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000303339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000303338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000303337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x8000000000000000303336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.944{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 23542300x8000000000000000315348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:50.255{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59470F335541B74EE85B810AA2F55E5F,SHA256=0FBA40A6CB367496155D38D78F0844EB013D22730E5A82D9AE53291D5DBE53AF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000303334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.744{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.744{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.744{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.744{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 23542300x8000000000000000315350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:51.386{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4E2BE332A0EB3861BC9D20FFE84CED,SHA256=5932C1E5B802ACB0C43B7E314462013C3D97DD388799F3E3B408D47D36342FD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:48.925{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55351-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000303407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:49.589{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61513-false10.0.1.12-8000- 734700x8000000000000000303406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:51.006{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000303405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:51.006{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000303404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000303403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000303402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000303400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000303399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000303398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000303397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000303396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{00000000-0000-0000-0000-000000000000}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000303395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{00000000-0000-0000-0000-000000000000}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000303394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{00000000-0000-0000-0000-000000000000}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000303393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{00000000-0000-0000-0000-000000000000}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000303392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{00000000-0000-0000-0000-000000000000}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000303391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{00000000-0000-0000-0000-000000000000}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000303390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{00000000-0000-0000-0000-000000000000}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:51.006{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000303388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000303387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:51.006{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x8000000000000000303386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.975{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 13241300x8000000000000000303385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.991{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000303384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.991{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000303383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.991{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:50.991{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x8000000000000000303381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-D01B-6305-1600-000000007502}12881948C:\Windows\system32\svchost.exe{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-D01B-6305-1600-000000007502}12881324C:\Windows\system32\svchost.exe{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:50.991{D25361F1-F8EE-6305-8605-000000007502}4128C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 23542300x8000000000000000315351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:52.403{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E24D6111AAF2EB6D8B277E577CEDD95,SHA256=8271E08F8452A9D00B07C759B66D17646449D5400486AA85BAF2861CC77C1F23,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000303442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.375{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000303441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.375{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000303440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.359{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000303439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.359{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.359{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000303437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.344{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000303436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.344{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x8000000000000000303435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.342{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.342{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.341{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000303432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.340{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.340{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.339{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.339{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000303427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000303426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000303425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000303424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000303423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000303422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000303421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000303420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000303419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000303418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000303417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000303416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x8000000000000000303415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.323{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.144{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.144{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000303411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.144{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000303410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:09:52.144{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 23542300x8000000000000000303409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:52.091{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88D61793D8764A2C153F4C4AE59CD6D,SHA256=9A23253303B7F82B88D3C753994FD73C22710DB728575AE977A334214F0D11EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:52.091{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21E9EF153CA3340346A5A2AD2EE2EF25,SHA256=A445785D6F6873772F0115582B56E815C7AB8F440AC9F758C5AF366EB9DC1ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.905{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFAECA6E55CB3E9120F82D9B6F070BC,SHA256=F3136AEDD0D2682C3852C7141A9065408B6FBA0F23AEB3EF512F39D3172B86CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:53.222{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036141623CE30383D090945B94A0092C,SHA256=D7CBB987264B217E1E53ABD883F47BEBCC9405035267820163CAB571CF148C96,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.339{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000315407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.339{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000315406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.339{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000315405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:51.124{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55352-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000315404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000315403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000315402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000315401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000315400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000315399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000315398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000315397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000315396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000315395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000315390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000315387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000315386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000315385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.138{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000315383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000315382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000315377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000315371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000315369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000315368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000315363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.122{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.123{F6DB49F2-F8F1-6305-E005-000000007602}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000315412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:54.975{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA38A42A13790DCD2F2BA636E77A95CE,SHA256=146C40108BD0D35922221D84260F21C4C7F2D9F9C49E25A10B7454B457FF80DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:54.239{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982F8D3DFAAF72A219F87DA8F7DC073D,SHA256=4B368681C952890BF35CB22C36F4A4BBDFC9EB8A7C320A839F814C94A9203F30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:52.865{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55353-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:54.302{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=086E4199D1F71B000D8B83E68BFEF2CF,SHA256=1D86DEB233B11ADF0B7639C203D9B616F06334E318CDDF987912652324F6E2B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:55.332{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53C16B3FE6BC146392DCC1EF324FD1F,SHA256=352C7E65F4A636FE8217D0B4526692887021806D695B8B987FB9BD8A1DF1D637,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.999{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000315530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.998{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000315529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.998{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000315528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.996{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000315527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.996{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000315526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.995{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000315525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.994{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 10341000x8000000000000000315524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.993{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.986{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000315522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.986{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000315521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.985{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000315520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.984{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.984{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.983{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.983{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.983{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000315515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.982{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000315514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.982{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000315513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.982{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000315512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.982{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000315511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.982{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.982{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.981{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.981{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.981{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.981{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000315505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.981{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.981{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.981{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.980{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.980{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000315500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.980{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000315499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.980{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000315498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.980{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.980{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000315496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.980{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.980{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000315494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.979{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000315493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.979{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000315492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.978{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.978{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.978{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000315489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.977{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.976{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000315487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.976{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000315486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.976{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.975{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000315484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.975{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.975{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.975{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000315481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.975{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.975{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.975{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.975{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.974{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.974{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.974{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.974{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.974{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.970{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000315471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.968{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.967{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.468{F6DB49F2-F8F3-6305-E105-000000007602}37125652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.468{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000315467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.468{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000315466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:53.324{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55354-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000315465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.321{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000315464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.321{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000315463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.321{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000315462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.321{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000315461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.321{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000315460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.321{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000315459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.321{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000315458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.321{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000315457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000315456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000315455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000315454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000315453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000315452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000315448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000315444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000315443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000315441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000315433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000315429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000315424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.305{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.304{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.304{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.300{F6DB49F2-F8F3-6305-E105-000000007602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000315582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.374{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39FECCC67618AAA9A73DF821E56ECC2,SHA256=BBFAB2ECB6B599C8116D9FEF9B4C8D476A5D1D1D04C7C26B9270D7A969732870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.328{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.320{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.317{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.312{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.310{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.306{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.302{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.299{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.297{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.290{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.269{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.266{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.265{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.264{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.248{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.237{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.198{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.192{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.184{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.175{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.173{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000315559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.173{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC74BF4EF36C3990FA60B132C55E599F,SHA256=612BFFA3967970E4F1E824E95D7CD58976772FCADAF0587AFDEEF6A963CE56E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.169{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000315557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.138{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000315556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.138{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000315555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.138{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000315554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.118{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.114{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.112{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.111{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.110{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.108{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.105{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000303447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:54.625{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61514-false10.0.1.12-8000- 23542300x8000000000000000303446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:56.421{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBA3594C0B42F7047616D62B147185C,SHA256=D71330C849C99F1802730A695A6565C0A1FD4C2553006EEE51D5424DC4B61E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.103{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.098{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.095{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.090{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000315542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.084{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF86917510ABE51A5998435C98B20F42,SHA256=4A43EC3287A3FF01BC036823F91EC9A5B0FCC61E76913567D89A8EB61CE296F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.083{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.080{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.069{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.062{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.057{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.046{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.031{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000315534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.022{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000315533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:56.000{F6DB49F2-F8F3-6305-E205-000000007602}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000315532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.999{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000315642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.754{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1C73BD86CB88C8FB6C6EB15A9450BC,SHA256=E6B3BA6861D6A7CF97FD18E0E7B6BFD23355ECAAC29CBA08CF9F3D85E2DD3BDB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.692{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x8000000000000000303448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:57.538{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134D8C8BFD3F5E8360C48613B795762E,SHA256=4522D7FA7286E83F92954C83D1D4D3909FCA7829F5D07667F275A4AE672ACB8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.691{F6DB49F2-F8F5-6305-E305-000000007602}50644948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.682{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000315638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.668{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000315637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.637{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4043C6D49116F89C8EA99C87F2B4D7C,SHA256=DC1AB57CDDF1CB01D033864BBB0FC07E89A1D1306E9A6225F9803072C9A43450,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.506{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000315635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.506{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000315634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.506{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000315633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.506{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000315632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.506{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000315631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.506{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000315630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.505{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000315629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.505{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000315628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000315627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000315622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000315621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000315618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000315617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000315615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000315614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000315609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000315603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000315601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000315600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000315596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000315594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.484{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.485{F6DB49F2-F8F5-6305-E305-000000007602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000315583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:55.622{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55355-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.885{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B19C6EEAA89F959320F93D9050B328,SHA256=48C7EEE466DAC1884767E4827C020CF5D8A7BC0E7E571CC3840B693B26D412C5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.853{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000315749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.853{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000315748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.853{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000315747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.853{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000315746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.853{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000315745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.853{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000315744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.853{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000315743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.853{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000315742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000315741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000315736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000315734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000315732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000315731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000315730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000315728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000315723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000315716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000315715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000315711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000315709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.838{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.839{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:58.757{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE6806E0381F2D460A4725DC3B8484B,SHA256=53957139BDB4CC2C88E3D3D9EE48E6238325F50C4F635FE7B947701925B1A106,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.339{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000315697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.323{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000315696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.323{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000315695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.169{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000315694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.169{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000315693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.169{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000315692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.169{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000315691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.169{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000315690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.169{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000315689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.169{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000315688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000315687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000315686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000315685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000315684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000315682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000315680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000315675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000315671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000315670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000315667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000315663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000315659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000315656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000315654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000315651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.154{F6DB49F2-F8F6-6305-E405-000000007602}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:58.537{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=147FD5DFFF0B553B3E6EC2B912A0EC0E,SHA256=E30B85F4A7CA5A1F8C574BE7F78946336E1A87A369F5DEBF152AD9E32A1F48AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.989{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528E34DD033409C6D9906FEB8658FB3C,SHA256=F563BE58577B88C896C46ABD812C7B43BB09203690C4404A9B77A2CF3628B0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.974{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7E11080662E39A0F0EAB95A9C788FB,SHA256=6E506BFF4BADC0DE25112B1FF30A5F275FFA7F96231ABB03861B74FBE6FF2A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:09:59.856{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1B47CAED681060F76D58F99CDAF364,SHA256=5005B44135825361484CC5209E2AB9B13E31574D0BEFF9BF8EA82087C8AE542A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.711{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000315811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.711{F6DB49F2-F8F7-6305-E605-000000007602}49283768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.711{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000315809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.711{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000315808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.541{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000315807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.541{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000315806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.541{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000315805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.541{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000315804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.541{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000315803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.541{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000315802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.541{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000315801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.541{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000315800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000315799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000315794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000315792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000315790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000315788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000315787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000315786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000315781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000315774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000315773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000315769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000315767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.526{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.525{F6DB49F2-F8F7-6305-E605-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000315756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:57.906{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55356-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000315755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.006{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000315754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.006{F6DB49F2-F8F6-6305-E505-000000007602}60563396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.006{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000315752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:59.006{F6DB49F2-F8F6-6305-E505-000000007602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000303452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:00.987{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F8214A655625FF5DFDC7F3FE8ECDD2,SHA256=60ECFDA6B189D7B0CE4D9C14C2EFE5ED5C5A95BC1DF7589FF645C16F6FF58582,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:09:58.818{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55357-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:00.009{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECDD58F81A49DC9D79CF9D3A34F4BCB2,SHA256=E5E44DA8A19FA052655569B9D2F0B66C9ADB076795590C0FCA6AF699B5DE48BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:01.092{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396EC01217C3AB4BC5CE6A0587D4A0A9,SHA256=41A6B26817EE1CB9D705F671E76E5C0A86C56D02C05A2C6EA8FF1AF15F21732D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:02.768{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-169MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:00.131{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55358-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:02.166{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6CF1FABA7816CEF64C498DB837E645,SHA256=8D7FC389F1378C82287618780D55B8665E60CCFFB7522B608AEF6B2F00F2E7E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:00.653{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61515-false10.0.1.12-8000- 23542300x8000000000000000303453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:02.102{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A5400942D179D1BCAA113A4229D952,SHA256=4965DF610E2D1B1780CA02750191499A08040D3CB6755848E5154C1A3B181F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:03.767{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-170MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:03.265{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B3070B5B2E4951748D52F814F8A8CF,SHA256=8E98CAA4ECF0220765A924040AF1DDFD3959C320D557F2F23A8142F286F474E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:03.235{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B9A1D575F0D547CBCEC6D5FE53AE4A,SHA256=37F4A26576DA0B6E59E5F3AAF44B41118C3F0072435E4462FC8C3D07BF2C057F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.671{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.664{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.661{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.659{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.657{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.628{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.622{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.602{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.596{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.588{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.576{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.569{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.558{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.552{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.543{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 354300x8000000000000000315824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:02.398{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55359-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000315823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:04.366{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88D05D9620AF355EF9970C3CB2791FE,SHA256=8FECF4F63F66406AC5FD18DD4B35510B26E6BF332877F787011890F9A6A4C559,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.534{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.488{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.484{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000303456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:04.339{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84467CFE75646D888DCCB5203A4170B4,SHA256=23A7AC40C0E479BA6019A2EE37FCB818274781BBDD73F730011EAE4EA676CE05,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000303525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000303524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000303523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000303522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000303521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000303520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000303519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000303518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000303517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000303516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000303515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000303514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000303513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000303512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.983{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000303511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000303510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000303509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000303508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000303507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000303506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000303505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000303503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000303502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000303501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000303500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.983{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000303499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.983{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000303498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.983{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000303497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.983{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000303496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.983{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000303495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.982{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000303494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.982{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000303493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.981{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000303492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.981{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.980{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.980{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000303489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.979{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.978{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000303487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.978{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.978{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.978{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.978{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.977{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000303482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.977{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000303481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.973{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.470{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F2092EB6D5CCA555CA404D9A7A9C16,SHA256=FC3137FD6EF2590867C811DEDC887E9172A7CEA638882454D8AF84F9B970EAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:05.466{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1131BBBECD6F05D4BF4E14679666320,SHA256=A3D9BED4D7A19EDAF4B81859D3A0DCCD3CF042B6BF50C20B28136D51BE1B6B5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.112{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.110{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.103{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.099{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.097{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000315827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:06.536{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306F6F844820F0C6975FFAA093E24004,SHA256=9E6AB2F14D4C52AA82D30D58CE0DCEB3020D123CD47957C3D885EC977B44B636,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:03.846{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55360-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000303586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.839{D25361F1-F8FE-6305-8805-000000007502}66203780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.839{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000303584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.839{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000303583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.686{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000303582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.686{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000303581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.686{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000303580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000303579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000303578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000303577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000303576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000303575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000303574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000303573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000303572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000303571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000303570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000303569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000303568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000303567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000303566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000303565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000303564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000303563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.670{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000303562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000303561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000303560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000303559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000303558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000303557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000303556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000303555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000303554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000303553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000303552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000303551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000303550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000303549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000303547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000303544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000303542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000303537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.654{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000303536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.655{D25361F1-F8FE-6305-8805-000000007502}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000303535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.142{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000303534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.142{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000303533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.142{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000303532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000303531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000303530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000303529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.983{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000303528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.983{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000303527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:05.984{D25361F1-F8FD-6305-8705-000000007502}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 354300x8000000000000000315829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:04.683{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55361-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:07.516{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB538A994DB1BABE6C95AD5B93EF313,SHA256=923F3D1D5EDCE5050D110FDB2363D4E3751F637509F6FB3B4D254B98778951FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.854{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D9FD7736F777DCA8E72C4551E2C459D2,SHA256=7853F13557736D55DEA6D99A84255C79DF74FD906AD7383F242C814991063C96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.851{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.848{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.845{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.841{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.836{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.832{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.830{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.818{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.782{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.770{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000303658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.764{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217A04CA953715D4A8B315C9B7276CE6,SHA256=8E366D00E1A840124A658E3635A66950B296719D65E924166FBAD6E4FA0571BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.760{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.726{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.719{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.706{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.701{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.700{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.697{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.694{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.692{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.691{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.689{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.687{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 734700x8000000000000000303645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.486{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000303644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.486{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000303643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.486{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000303642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.417{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6E1F0FD6F5B46663AEE18F10C2A9D9,SHA256=7639DAC67A52D1DCADF679A6EAA9092E8C9C7A8746EB59D46B2FAEC8837596B9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.339{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000303640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.339{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000303639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.339{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000303638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.339{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000303637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.339{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000303636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.339{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000303635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.338{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000303634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.338{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000303633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000303632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000303631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000303630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000303629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000303628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000303627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000303626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000303624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000303623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000303622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000303621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000303620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000303619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000303618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000303617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000303616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000303615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000303614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000303613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000303612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000303611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000303610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000303609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000303608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000303607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000303606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000303605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000303602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000303600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000303595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.318{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000303594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.319{D25361F1-F8FF-6305-8905-000000007502}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000303593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.174{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.173{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.164{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.160{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000303589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.155{D25361F1-D530-6305-4001-000000007502}40324888C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000303588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.131{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7C18264B74DB06E908472D1A37CF4B,SHA256=E9D2E58E7D85B58D1238A4B1B056665E7262F835148C20C390B4B639923B09EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.130{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB6FC4E2E14CAD372AE481BEB468A276,SHA256=F3A808414BF83554FED188A3DDDAEE1B288319A62B3A4A03986E4C58A6C07EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:08.585{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E927041F512A8B4239B0AEC22DA347,SHA256=5F64DCE1EDE32E565BC9E05905FE1BA7F24A180EE1FE44E09072180396628D54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:06.868{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55362-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000303774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.890{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000303773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.890{D25361F1-F900-6305-8B05-000000007502}923860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.873{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000303771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.873{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000303770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.773{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8550CC4CD707CF5945699DA854C821D,SHA256=2A756A3A990F23879ADE5048FDEA163998D5971A4098CAC2C0FE4073AD945F38,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.717{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000303768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.717{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000303767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.717{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000303766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.717{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000303765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.717{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000303764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.717{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000303763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.717{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000303762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.717{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000303761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000303760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000303759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000303758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000303757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000303756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000303755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000303754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000303753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000303752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000303751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000303750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000303748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000303747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000303746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000303745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000303744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000303743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000303742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000303741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000303740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000303739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000303738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000303737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000303736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000303735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.701{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000303734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000303733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000303730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000303728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000303723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000303722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.686{D25361F1-F900-6305-8B05-000000007502}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.417{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17988738204314BCC8216472F1FDF4D,SHA256=20330CBBA75A0C22377544517238390348AF1109D7C5D757B8FEA1970A10524D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.170{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000303719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.170{D25361F1-F8FF-6305-8A05-000000007502}69885920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.170{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000303717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.170{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000303716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.017{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000303715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.017{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000303714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.016{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000303713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.016{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000303712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.014{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000303711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.014{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000303710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.013{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000303709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.013{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000303708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.007{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000303707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.006{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000303706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.006{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000303705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.005{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000303704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.005{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000303703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.005{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000303702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.005{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000303701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.004{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.004{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000303699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.004{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000303698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.004{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000303697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.004{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000303696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.004{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000303695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.004{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000303694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.004{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000303693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.004{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000303692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000303691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000303690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000303689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000303688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000303687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000303686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000303685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000303684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000303683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.003{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000303682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.002{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000303681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.001{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.001{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.000{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000303678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.000{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000303677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.000{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.000{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:08.000{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000303674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.999{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.999{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.999{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000303671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.999{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000303670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:07.994{D25361F1-F8FF-6305-8A05-000000007502}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000315832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:09.717{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B58A95E8BA232FB5C37D27B5659E61,SHA256=ABC2BF700C89390E3B44ED1FBDFCAC232854D599C107C89DBDDB60EB075C8440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.874{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EC0176CA7992B31BFBF9154AD82D65,SHA256=AD48CD500566AB1DF667C0C852984DF9A3A547A1B4E49D36B14980C81C97BF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.858{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACD8643FB628A3D49FFA0348A628101,SHA256=EFA8D6E4D744FDDE24164C0F39A1E6241CFDB6E8B96B91906ACBC187E8BD9D5A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.574{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000303829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.574{D25361F1-F901-6305-8C05-000000007502}65886616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.574{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000303827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.574{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000303826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.389{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000303825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.374{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000303824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.374{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000303823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.374{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000303822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.374{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000303821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.374{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000303820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.374{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000303819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.374{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000303818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.374{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000303817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.374{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000303816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000303815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000303814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000303813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000303812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000303811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000303810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000303809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000303808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000303806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000303805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000303804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000303803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000303802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000303801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000303800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000303799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000303798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000303797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000303796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000303795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000303794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000303793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000303792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000303791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000303788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000303786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000303781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.358{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000303780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.359{D25361F1-F901-6305-8C05-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000303779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:06.672{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61516-false10.0.1.12-8000- 734700x8000000000000000303778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.230{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=92CD5DA45ABA4CE45313783FCB345D99,SHA256=B0F20BE2B144056E488F8FF51E266F426625E64E3C91CCD17895A441A0935C46,IMPHASH=7712978A8D93CC3BE5668BB2C1A9F990trueMicrosoft WindowsValid 734700x8000000000000000303777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.228{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\System32\shacct.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Shell Accounts ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacct.dllMD5=6C3405DC9DB5740B6B2AD3AF67031A2E,SHA256=223153AF2A71D3549CCE25D3EAA294DD44471EA8A0733E5AC1EFD7D99D03886E,IMPHASH=F9EDABA9B540C273AC125BA9D119C3AAtrueMicrosoft WindowsValid 10341000x8000000000000000303776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.234{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.231{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000303897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.986{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3602AFE9490BD97EE97A097B8A144869,SHA256=E8F093C19AB6764A433FB889346C6B256F3DFF27D9B9F0EA88D0B0FC3DAB1435,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.875{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 13241300x8000000000000000303895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:10.859{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:10.859{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x8000000000000000303893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.859{D25361F1-D528-6305-3A01-000000007502}47602344C:\Windows\Explorer.EXE{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.859{D25361F1-D528-6305-3A01-000000007502}47602344C:\Windows\Explorer.EXE{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.859{D25361F1-D528-6305-3A01-000000007502}47602344C:\Windows\Explorer.EXE{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.859{D25361F1-D528-6305-3001-000000007502}41844392C:\Windows\system32\taskhostw.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.859{D25361F1-D528-6305-3001-000000007502}41844392C:\Windows\system32\taskhostw.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000303888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:10.859{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x8000000000000000315835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:10.854{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E2FFDF28DFD1E471F20268ECB5044E,SHA256=87A325965D84A51CE89C677F2B1E7777CE40CD79EB24399C9BE1026C27F8B73A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:09.054{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55364-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000315833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:09.018{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55363-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000303887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.844{D25361F1-D528-6305-3A01-000000007502}47602304C:\Windows\Explorer.EXE{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.844{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x8000000000000000303885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.844{D25361F1-D528-6305-3A01-000000007502}47602304C:\Windows\Explorer.EXE{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000303884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:10.844{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000006025C\VirtualDesktopBinary Data 10341000x8000000000000000303883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.844{D25361F1-D528-6305-3A01-000000007502}47602304C:\Windows\Explorer.EXE{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.844{D25361F1-D528-6305-3A01-000000007502}47602304C:\Windows\Explorer.EXE{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.843{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.843{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.843{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.843{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.838{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000303876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000303875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000303874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-D01B-6305-1600-000000007502}12881948C:\Windows\system32\svchost.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-D01B-6305-1600-000000007502}12881324C:\Windows\system32\svchost.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000303871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000303870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000303869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000303868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}5886416C:\Windows\system32\conhost.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000303866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000303865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.806{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000303864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.806{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000303863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.806{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000303862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.806{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.806{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000303860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.806{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000303859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.806{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000303858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.806{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000303857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.806{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000303856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000303855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000303854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000303853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000303852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-D525-6305-2201-000000007502}8203248C:\Windows\system32\csrss.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000303851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000303849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 734700x8000000000000000303847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 13241300x8000000000000000303845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:10.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6B2CE3D5-C272-4917-8204-21FB495ABB24}\LaunchCountDWORD (0x00000002) 734700x8000000000000000303844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 13241300x8000000000000000303843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:10.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6B2CE3D5-C272-4917-8204-21FB495ABB24}\LastAccessedTimeQWORD (0x01d8b7a1-0xb1cadf70) 734700x8000000000000000303842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.791{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 13241300x8000000000000000303841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:10.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:10.791{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 10341000x8000000000000000303839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.775{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.775{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.775{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.775{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.775{D25361F1-D525-6305-2201-000000007502}8203248C:\Windows\system32\csrss.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000303834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.775{D25361F1-D528-6305-3A01-000000007502}4760836C:\Windows\Explorer.EXE{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e73b|C:\Windows\System32\windows.storage.dll+16e451|C:\Windows\System32\windows.storage.dll+16e09e|C:\Windows\System32\windows.storage.dll+16f340|C:\Windows\System32\windows.storage.dll+16ddee|C:\Windows\System32\windows.storage.dll+fce8d|C:\Windows\System32\windows.storage.dll+fd5cc|C:\Windows\System32\windows.storage.dll+20f440|C:\Windows\System32\windows.storage.dll+16650a|C:\Windows\System32\windows.storage.dll+166262|C:\Windows\System32\SHELL32.dll+9cafd|C:\Windows\System32\SHELL32.dll+9b696|C:\Windows\System32\SHELL32.dll+8dfa9|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+16f9c0|C:\Windows\System32\SHELL32.dll+18377c|C:\Windows\System32\SHELL32.dll+19e928|C:\Windows\System32\SHELL32.dll+183916|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000303833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.779{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp\upload_files"C:\Windows\system32\ATTACKRANGE\Administrator{D25361F1-D527-6305-3399-180000000000}0x1899332HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000315836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:11.985{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F9E4E5DAF04441973880A771B4E219,SHA256=D6FAC6115D903A22E74ED429FDF0BE6BE362F1DA7D5FBBECE537C7FC6AFD852A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000303979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.856{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000303978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.841{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000303977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.841{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000303976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.637{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000303975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.637{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000303974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.637{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000303973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.637{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000303972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.637{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000303971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.637{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000303970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.637{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000303969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000303968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000303967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000303966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000303965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000303964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000303963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000303962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000303961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000303960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000303959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000303958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000303957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000303956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000303955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000303954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000303953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000303952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000303951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000303950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000303949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000303948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000303947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000303946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000303945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000303944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000303943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000303942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000303940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000303939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000303938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000303937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000303936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000303935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000303930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.622{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000303929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.623{D25361F1-F903-6305-8F05-000000007502}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000303928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.142{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61517-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000303927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:09.142{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61517-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 10341000x8000000000000000303926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.216{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.216{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.216{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.215{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.215{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.215{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.206{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.206{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.206{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.203{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.203{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.203{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.201{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.201{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.201{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.199{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.199{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.199{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.194{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.194{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.194{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.193{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.191{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000303903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:11.191{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000303902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000303901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000303900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000303899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000303898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:10.822{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 23542300x8000000000000000303981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:12.125{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7229CBC77187394479D1CCA398E2314,SHA256=71492BEB8C0046DAD7C0BCE4ABBAA19B4112E1804613C9B0CD629D7D299866E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:12.110{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A666B45DE8F4DB86C35B335091B7841,SHA256=EB06E57BAD1F5EFEA1D81514B35600EEF24645BE11F0ABAB8ACA57FB1B930F07,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000303984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:13.871{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000303983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:13.871{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 23542300x8000000000000000303982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:13.238{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9275CC9D5B962136CDEB872BF8F94092,SHA256=7CA97A51D0ECFDC60A1FD984E81B0B37B58C5920AB407B9ECB61139897B9BEF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:11.240{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55365-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:13.069{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B2978CAF99219B34F36CD2409DC37F,SHA256=5E0641E231EFD6A6A3DDFFF968E8786A374CA6ECBC7785D79546484050FF9098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:14.184{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70E3F73939CF97A848A3C9DCCF804C8,SHA256=B3B77144B452C345EF4F6FA210263012B7D3EC6FAD478ABC48E9E736F7536E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:14.413{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-169MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:14.353{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B881999025719CE49669E49D6EA3BE,SHA256=B942A5D672D40D7446D4EED80C929373A64C5BFD5BFE5859F82334813DF15F5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:15.991{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:15.983{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:15.980{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 354300x8000000000000000315841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:13.538{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55366-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000315840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:15.286{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FA62A7EA00F3DA62E9FE3ABD587C7F,SHA256=7FB91385B0BFAC87AC8C225C07903B376E27B90EB80A156F3E9F3EB96639795B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:15.424{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-170MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:15.371{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BDAC17F6A672C79AFD42FDA84B384D,SHA256=9CA7EE89836BABBBDE63751673896675F78E3CB75CFBC5292F55A2C17D85FA98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:12.643{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61518-false10.0.1.12-8000- 354300x8000000000000000315893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:14.817{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55367-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.539{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D5FC14EB6B4C5115A6DCF70B4223E5,SHA256=5EA06793D232BA59B554622AA94C6697E0D4946B463CAB86D1B20B59EF92EDBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.302{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.296{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.294{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.292{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.288{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.286{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 23542300x8000000000000000303991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:16.571{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=F47B1C6CCFB41ED55807A78557223788,SHA256=AF090EF069978D4C621F29C6BC193843558672C50A3C3CBF962A0C3B31A941D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:16.473{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3F91B9E2385A561F0F4F19C34C8D15,SHA256=A28BD3235511030BC0B339D65B93117564E5CE7BCCAE6DCB12612B77C473F407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.283{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.279{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.276{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.274{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.265{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.244{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.241{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.240{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.240{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.224{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.211{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.177{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.168{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.157{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.151{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.148{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.145{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.140{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.139{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.136{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.135{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.134{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.131{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.124{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.123{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.117{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.115{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.111{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.104{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.101{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.088{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.080{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.074{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.066{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.058{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.050{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.023{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.018{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:16.009{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000315845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:15.999{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 354300x8000000000000000315895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:15.821{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55368-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:17.358{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2569270BE6DAE4EF13F28A4B3B5EAE8F,SHA256=C297F0189A73E4B534C729186728032A0E7E829BB6B84B12B9592C58B938E1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:17.591{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982C20957493B4AE76725058B0E8756F,SHA256=5C23D738561C4DFE70E102F314F334F267945A4CE1C4040A892B2A1601649A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:18.722{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9009C15C5C68B9961A1477BC71CAA91F,SHA256=FFAF8C4067D46667F6B80A2585EA60049A9B580C5D51055E28F87F5CF1584AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:18.500{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D94362DA2294A78569F256ABFEB0103,SHA256=A9131FED68BF9898A5FAEC213B53D3FD971CE4B02A517355B7C54AA64CB16CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:19.937{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097FE45E42BF73D590394D9705A350E0,SHA256=C72DF4AE15F63A778A751F79234648304CCDE5E12820CC2880E76838F33E0D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:18.117{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55369-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000315897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:19.518{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416145AD4D86B92A2F2BB8AEA98CE051,SHA256=2ED6EA9CD1FDF65FAB7A4370F215263AC10C0570593CA058316546D33BBDD54C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:17.658{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61519-false10.0.1.12-8000- 23542300x8000000000000000315899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:20.619{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64127B92C3FBDC09AA25F5F3F842B92D,SHA256=47D03756EBC5DA19320DF73DF80FFB42C766A5898F350412D2B21CB5C0FC4ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:20.628{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:20.317{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55371-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000315901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:19.999{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55370-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:21.653{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D7788F61A3DE6493A47F7EF2E7543B,SHA256=E194467E58FDF17689E990A1145BD481C255F65303CAD8E88D18914F6D607DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:21.070{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE17C6AF548A4005F20FC0CB7934AF32,SHA256=B3472D060DB9C7E46933E67FDB3817B5C0A40A79587D3A5D5C710359EA608BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:22.783{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250487825D061FA270B976924DFB4D39,SHA256=7307037E2F2E11D4DE27506560959BEC7EC8AA7204C57BC6D05876DAF740DFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:22.220{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5D6BCD93CA4BF64AA97AA50DD2CBFF,SHA256=0E3A0D7837DB74D1E8D7FE56785998F61D33A1CCA76F80ECCF18D9DBF1E6EC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:23.866{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C581144FF62AD042FC41C04AECA694E,SHA256=0A6FB726871203F3246BB4C184B772234125F8336E9E65225CD0E50A0330B97F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:20.079{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61520-false10.0.1.12-8089- 23542300x8000000000000000303999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:23.335{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660B186C470900C91F5A52C12C6EE22B,SHA256=8CAA1C9A1D53EFCC4B742B9C0DA1C1A2103E7BA36360CD34A8A9CAFB37F7F92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:24.981{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4B538CC3D1CC2BDF82E6F64698B3EA,SHA256=235EBB3C84435A44055D3D1CF791E182224E66B51E1B0AE43913B2EB848B23C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.691{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.684{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.681{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.679{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.677{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.654{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.648{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.637{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.633{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.626{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.618{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.602{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.592{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.585{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.576{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.568{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.516{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.513{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000304002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:24.435{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFB011BE3863D174D4FB773A4CC32F0,SHA256=9B96671B82C98326DC1C65DCCFD0CFCBB0639759AD63BF2936FCA82110B82CC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:22.686{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61521-false10.0.1.12-8000- 354300x8000000000000000315905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:22.599{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55372-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000304027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:25.961{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=38AB23951576FD54250249D5246822B3,SHA256=19F5828DE445395AF6ED8B35990677ECD9E279B11332A83E13DE5067A6FDEC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:25.473{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D85C4A1EA7DAAA0D94F05424239113,SHA256=B6182CB456E54028D7A6CF2B0228DBC974DB5E1A031774535E4B0CFA21BFC795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:25.250{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=891B0DF02C74CBBCF0C934511F5909BA,SHA256=66EA52FAFF71A33804D95E635C7F7315E6633B3E87B5A003DAD722EB9A25E7C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:25.111{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:25.109{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:25.101{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:25.097{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:25.095{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.791{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.791{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.791{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000304034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000304033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.776{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000304032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.773{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000304031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.773{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000304030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.769{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000304029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.767{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000304028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:26.570{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8817848E8AA518A197859B1AE751DE18,SHA256=C594A40A5A6DE3A73AEF18CDE2E18356B02113ED3D317C54A463923D2AC3E02E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:24.800{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55373-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000315908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:26.096{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE49920B5750EBEE25010AB2C749835,SHA256=F67AD76A4A8B3FC20805795401296817A1A74370C2D31974BC2A914AA43AF689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.836{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.835{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.834{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.831{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.826{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.823{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.820{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.817{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.815{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.807{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.785{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.779{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.769{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.740{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.732{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.725{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.720{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.718{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.716{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.713{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.710{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.709{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.706{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.705{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000304044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.673{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA81E6064876E31761C9C72B3CAAD3AD,SHA256=5FB6EEE6215B6583F761F6BC995B42758E8C5191904744A9BF1C28FE0AB6F8B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:25.814{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55374-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:27.196{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24CD6605582EF77E4375687B143ACB7,SHA256=3B9B222772DE6735B39EBDFFC7F2869B345D067464670930B0F8B9464A1F74F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.190{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.189{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.174{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.173{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:27.167{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000304069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:28.813{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483BBC29688A2306D6E5DD6EE883FE81,SHA256=40C6F7793B86B568E0DBDBF5A6AF3769CF7FA8C07020083B1470B6335C934CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:28.314{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E470F99A61D7758343E9EDDEFF08F2E6,SHA256=D58D1B8818C60EE759852A697AAB54F8E49BFEDD73A74C1C2A47A3C0E2D0A50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:29.836{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EFA756352D2C38DDDF1EC892E48F6D,SHA256=00EF8534563379BA6D90410E09614D0123BDD5F9CAAD4F534744EE41CCF44EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:29.448{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7288064225CC1979340E90A4241D4D,SHA256=09539382B62881CD849234E13A41444FCFE2352092BA19D22EC2239BF4DC7645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:30.867{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808693F0721638F526758EFC3899D12E,SHA256=A9D0119983C76F5C99877316983756920A2C994B928023359DDBA190586B9499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:30.553{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1CA294DA2DC8854913AED6EB4BB3C54,SHA256=548AF1AA14F9E70C462E00B1AE6E466CFEDFCDFC7F6DE5919088B54337E2890B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:28.671{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61522-false10.0.1.12-8000- 354300x8000000000000000315914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:27.082{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55375-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000304073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:31.986{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B576870A7AE4F74F5FF8C385D0F8131B,SHA256=6473D80F1E1D6272E9962857ED5EFD315B2B5BA3E73AD50184696CBF2CB2096E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:31.584{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440308DFCF4F08936C56C29E4AC30FF8,SHA256=F83FD3215431F8EEBB4C6DDF90FB05CF6603BE5365D9E37C9EA429BE1ECE4AAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:29.397{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55376-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:32.716{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AB29C08670C84C51E94D0ED0E8584B,SHA256=6E60ED2BDACC106C6125B86B349B045102E8B2F4E4BCB521D7CEA917D54B9340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:33.751{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D431424D5067BBF233211FD0D01335,SHA256=137F7E1DDD5A38ED70176B25E69690072482EDB6DFED84E737FC81ADAECDE50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:33.101{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F6008C6DB2A13BA0BA8AF34B4CFA91,SHA256=626F70C4228DE78D1CDCB4D6452353C19C65D140B63814C2276E4B4AE9AF471F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:30.995{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55377-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:34.882{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595F43ECE3E40BC81F11E787B50F44BF,SHA256=1A3280E1AE632F479AF46CD1F472B5249A2E2AF9C705CAD76C8C2F0EC003822C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:34.216{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95718D860A79756BEBD97D8814DB932,SHA256=2DA5FE79988CA89EC735D93646C2D150E9ED734EF06D0CB127D16386A3D9F50B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:31.585{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55378-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000304076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:35.317{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AAE61C59BF5F78FB66C0AB85B811AA,SHA256=CB41C543CB6515742D5876D7E85E494F0224E4AAD0159FEE1E70408A213050DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:35.989{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:35.980{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:35.978{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 354300x8000000000000000304078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:33.715{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61523-false10.0.1.12-8000- 23542300x8000000000000000304077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:36.431{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ECAACD07DC662EAE04B749536EAFE4,SHA256=71E1729A67A3A186254CE897F8DA5065076D52DF12034A97161345F7190EAFEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.550{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC0C874E7A18E241DE448CFDA5B621D,SHA256=0118F4B458EA5A60C269D71FC62FC1A9233BDD477AA84365739C1116FBAE6A3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.302{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.300{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.298{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 354300x8000000000000000315972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:33.899{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55379-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000315971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.295{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.292{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.290{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.287{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.282{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.279{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.277{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.269{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 23542300x8000000000000000315963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.266{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D0ABCD38F282DF5EF63F6618E9755B64,SHA256=3FD48E58D643A5372EF0F3D6DC3843DABC4E2E72AFBA6A7CAA60CA064619D157,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.253{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.252{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.251{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.251{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.240{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.228{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.202{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.196{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.188{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.183{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.181{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.177{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.175{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.170{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.169{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.166{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.163{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.161{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.158{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.153{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.151{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.146{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.143{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.140{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.130{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.129{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.116{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.108{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.098{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.091{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.084{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.076{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.041{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.031{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.014{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000315927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.000{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 23542300x8000000000000000315926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:35.999{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE72993CCA1EAD816E3A8F67FDA305A2,SHA256=8D7302EF697F5E3F10BA0B70DF36DC06668C5B63C102AE7FDD2D821B84DEC425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:37.983{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B9F634E2CFC2D424FD299BA0783936A1,SHA256=273AF8CF3C2FC7707F036E83F84DA9278C2B7901F0A3AD618427C80FE9C9428C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:37.563{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6637268B4A3DC1B2339ED60B2C16D2F8,SHA256=B68F07E3593F5F0648F33CCA8D6EA31930DCA026985100FB22173C17B3B990F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:37.082{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6D37D9626F1931F5C78D75E45BFEF4,SHA256=C282835D8930633C5527043C9B27F800DD48D325C8B0B7C72B9DD7E06A4955E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:38.698{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C930FBF03B6ADF2E8A9B978E1819F052,SHA256=737F3CD6B8C1C5C05933D4F20BD275F133E371E633F90D036A9D768445740D96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.173{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55380-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000315985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:38.328{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000315984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:38.328{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000315983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:38.327{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000315982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:38.324{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000315981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:38.324{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000315980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:38.324{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000315979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:38.323{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:38.181{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76ECD4AC44D58E1E93774C6099C58A8,SHA256=A8398527FEDA04C86B5AE092044D799368911671292AED415009593D0C0F9C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:39.829{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C938A96FDE5A9D114AFEDBD71476705,SHA256=D003959907D7A01AA4370BD192618EF86149E3B50714EC0A80F4DEC5484E967A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:36.977{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55381-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:39.268{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028F5392FA3279A0D66600EC86B3E171,SHA256=5C3679A7A37CA56CC81DC93593BCC5831FB97C39CAB389AAAC1E7356472CD556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:40.944{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D520B08F1CFAFC7BABF7F1141B55B7B9,SHA256=8195ECE8B99213DBB45246A0EBEFA9809B339F33313590D750E264F4091E4C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:40.401{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02BA3A1E6ED6F768CFF6C1E90EF9B65,SHA256=15CD25D637E2BDBEC6BCF6E4B3ED1BA39DEF98B71BC08BC900F32CBC687123A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:40.319{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\datareporting\glean\db\data.safe.binMD5=7C43A29E5B22D02FFD63D7D025344088,SHA256=07E5FF6E1EC9EE51638AF7410CBFCD7526F89C5988F05C914FF5B355DF4FB27E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:38.352{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55382-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:41.386{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5AB112734FA724666931FF91E455EE4,SHA256=613CC75CE77FEA45ACEF3A083933F4419D949C870AFCFB63BA12CD2B02AE7BD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:39.664{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61524-false10.0.1.12-8000- 23542300x8000000000000000304085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:41.481{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=538092513B9245BA9040C2206EB7D711,SHA256=0AA2C39BF031BBDABDCC9453752E704318E9CC8A53EA04E3937B9BA3909B6954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:41.012{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=7C890B6BD759DCC469B4EECBCBCE13AC,SHA256=F1868E2BA1CED583A777137726599E49B0613119BD899BB4EC7593B668EAE32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:42.838{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6C4AEDB592016F5D95942CEF5D410810,SHA256=E82F7886D23F958D4CB86F37F8A00CCBFB4BC15EDF23BABD7E8722415FCA4113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:42.518{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78E9C017F611D4FE0169B9AF28483F5,SHA256=37B2D4008EA7A748941A98AD6C96468E97E9FE972D926EF60856E652CF7DA7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:42.062{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AA3EB39B1B39404FE5045FBB48100A,SHA256=364A549105F4F9ABCE59BFE1CC37C42C7D2D1F5FC62ED36C605E31979A5A700A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:43.540{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3BDD09EE429EBADCA236A1F661BDBB,SHA256=E641081194C1178B5EFE80CA9EAF8FD35E7FD82482E5790839CB29D804FD9BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:43.095{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23191B2BC547D72C3099B010D5C6DCA,SHA256=0979006378525EDEF88F19273E14F0B59D5C6DB5938AE7766423641BB8097460,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:40.639{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55383-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:44.668{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854E409550A7E1B18BC5AEAA203C135B,SHA256=375B968F2776D3C1FECCA8FBE4F06A0ACC0963EA09C6B2F393AD2973087DBB8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.695{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.688{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.685{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.679{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.677{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.650{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.643{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.624{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.615{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.606{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.596{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.585{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.573{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.563{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.541{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.529{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.473{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.469{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000304089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.227{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FA6F1F7CFE74F808ACC70E4F44D48E,SHA256=420E53467677CD76067F7E5D546E2EB7BC2C8F6FB56347124574898EEBB3F50C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:42.938{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55385-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000315998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:42.899{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55384-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:44.239{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:45.817{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE66CA261BBDC51BAF976AFCEF81284,SHA256=734D76C60D2303949B5D28BC1095D7C0BD577D254EAF2B7D3629CD70257EE2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.728{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2873F5C704ADEF7BC384E894A0A00CEC,SHA256=B1D8C344B37DF89A5C26E0299EB1E904DCCF624D6845E68E1C730BEF460918F1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000304121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:45.265{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTimeBinary Data 23542300x8000000000000000316001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:45.352{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\datareporting\glean\db\data.safe.binMD5=664895FDB60B0D68697D41F252AB3DB6,SHA256=E0AEDD510443A65BB12AFC8F801E5AC2C175B9336B5F756E7A53469F30850C96,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000304120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:45.228{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTimeBinary Data 13241300x8000000000000000304119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:45.196{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-94-75-48-79-a8\WpadDecisionDWORD (0x00000000) 13241300x8000000000000000304118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:45.196{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-94-75-48-79-a8\WpadDecisionTimeBinary Data 13241300x8000000000000000304117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:10:45.196{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-94-75-48-79-a8\WpadDecisionReasonDWORD (0x00000001) 10341000x8000000000000000304116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.196{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.196{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.196{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.196{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 10341000x8000000000000000304112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.108{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.106{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.102{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.099{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.097{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000316005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:46.937{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0214F792F80B053863DE2FD92BEE35D4,SHA256=1C10FC1A8683B639FB45A02C66D8E4A6187EACAA91F9B2220E7A7881D270E3D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.674{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local59757- 354300x8000000000000000304126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.674{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local55835- 354300x8000000000000000304125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.673{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local59802- 23542300x8000000000000000304124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:46.297{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D362DEADC63FC0A775A02C582D61599B,SHA256=43ECFEB9EB933A0EF01C8200217BA9A9FED6B418190A4C9F00461657509128CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:44.016{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55387-false169.254.169.254-80http 354300x8000000000000000316003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:44.007{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55386-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000304123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:46.261{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1DB5DF45AC9369DC82D4B781C14C8DCA,SHA256=1B84303E0853A9C99C19F3B89D42D0631C06AE8B380D99F6B61F9C67DAA0D445,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:45.564{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61526-false10.0.1.12-8000- 354300x8000000000000000304158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:44.687{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61525-false209.197.3.8vip0x008.map2.ssl.hwcdn.net80http 10341000x8000000000000000304157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.838{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.838{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.835{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.832{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.830{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.828{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.825{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.822{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.820{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.811{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.792{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.785{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.773{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.731{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.723{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.711{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.705{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.700{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.692{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.690{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.686{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.685{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.682{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.681{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000304133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.380{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FFD5F73428976D095439BA309F9349,SHA256=FBF6259E510480A83800705F88CA67BBCFBD7AEF546D7B406AAC61D1B0446EB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:45.137{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55388-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000304132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.164{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.162{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.151{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.150{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000304128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.143{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000304160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:48.464{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07A8E708CA3B2CD9318046E93611E89,SHA256=C8E52138397D750B7198DD141D80F7CE5A531D300287AB0EF1D6B9C7D7343F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:48.037{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E02304AC261B05CB7D237A133D000BE,SHA256=614EA64C5CC54ED91EA9EECABAC23579A7DA5A2EA2E487AD5F86D46590E5B6BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:47.230{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local59454- 23542300x8000000000000000304161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:49.595{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338546E7A41351BE393409517643E4DC,SHA256=CA54F82F91BE3FFCA52B44E549A00B4E89F967C3E1CE8AF346F2B4DD7A034E76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:47.438{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55389-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:49.168{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AB76D7DD842D8C1A4D424DF7FC8A41,SHA256=E9F50BEE7F2CD030D6F8D4C9053D386C8E567C5C89015AB045EF50246B96970F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:50.926{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2605019949D3FBC0187635311334F103,SHA256=EAB2C091597604E8F5E9C912D2A5F98544E3576F79A8BCCA78DF50B06D2E2339,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:48.913{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55390-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000316010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:50.283{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238D6C8B643C575A7041F1721AFB49B0,SHA256=ED0692A00456AC78DD0A999C17FA1234CB112B1298893241B213AEDD1E355AFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:49.737{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55391-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:51.398{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F47634B9E16D12370B89A188FA14503C,SHA256=D50949C658E4051CBF4D0B9877D7B775C457C87AC42F71960C5A9F38A94F9B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:52.536{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880B751DAE5D01304A35C0D28514DDDF,SHA256=3035E8A5BF1A1E44BD0E62A159F7931BE85CB0FAFC79B28FC49A9F4D9AAA72A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:50.624{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61527-false10.0.1.12-8000- 23542300x8000000000000000304164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:52.031{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE294F90651F49BE1990AD215EF23A7F,SHA256=6C50353351E24487DE46F004A29FA565533F6B1C06582C15DDFE32326DEDB985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.783{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A128975F4992C3F0F0FADD7E68F552C,SHA256=2163897D4831BD7CE2F9E2F03951697DEA9CD34417E982F940669BB9A5A0FD9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:51.951{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55392-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000304166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:53.131{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED05F2839141D9D75062DE59BB6CF30E,SHA256=B631B362A0A3F1A6F8D83776294F6A889C1CD5D2ED29E060D289DA3F28F72BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.491{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=45C2F78BBF12D37209441F8FA3CBCFE4,SHA256=E3BBAFC4828DE9EB577D3BBE0778D0071B711F9BD2D942823D3E24A2C4F21AA9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.371{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.369{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.368{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.166{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.166{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.166{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.166{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.150{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000316032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000316026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:53.135{F6DB49F2-F92D-6305-E705-000000007602}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:54.636{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC68689E23D008574AF88BC989EF41F,SHA256=75962B94CA8464593996AB5F37904D51B359393583280F08E768CB1CCB1DB56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:54.263{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E14329BDCB72F98A937435E1E4B2EDB,SHA256=B286D731582BEBC92DC701D512175F305E4FC163400A8BF3460148EDEAA85112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:54.200{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC64D57A84BE6A19F867D75436305D52,SHA256=8035672F0B0024F1AD25B3D2CBD52A412FFD5C1EABEA8240AE707BB98520312E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:55.331{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0D23E06B02D269AB718153A8968A98,SHA256=E285BAF53DCFA36DAC271AF3DC381F6250EA519917B215EB81BE566C0836C9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.999{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.992{F6DB49F2-F92F-6305-E905-000000007602}50562412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.992{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000316195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.992{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.991{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000316193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.981{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000316192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.820{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.820{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.820{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.820{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.820{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.820{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.820{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.820{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.820{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.816{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.816{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.816{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.816{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.816{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.816{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.815{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.815{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.815{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.815{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.815{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.815{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.814{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000316168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000316156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000316153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000316151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000316149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.803{F6DB49F2-F92F-6305-E905-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E95491D781092D042E3432D8A63020,SHA256=4888BAC6554735AA6A050BA60EAC31186D6F3E1E56B4138479D95F040470140D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.799{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840FA8F9CF8C03943F58DA30A35E1112,SHA256=E327BA5CAD52F3E03D119E24F0D25973128C7BB8D5E6197961336481D191FD42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:54.220{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55393-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000316136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.489{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.487{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.486{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000316133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.383{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=88EABBE599EF2990B97CD7D14AA3B978,SHA256=E5E0A15E6720E99C2EB5980E577B8F85C4D3832E69EDE6249CA90196689F5EF1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.320{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.320{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.320{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.320{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.320{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.320{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.320{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.320{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000316123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000316102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000316098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000316097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000316096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000316095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000316092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000316088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000316085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:55.299{F6DB49F2-F92F-6305-E805-000000007602}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.900{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B304AE637B54921D80DF8AA9431DE18,SHA256=178FDDCF8A1AF83FF55F8DF5FC016A0A8BC9CD350E7003FA5210459779E5593C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:56.416{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D049448EECCF4ED7E44DBB1840C8AAF,SHA256=6CDA2E5469040D15B92B5C5B19C523444ACFEB196964125491E5BF2E8FAEEE08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.418{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DE4AC9B17BDB9F0A158421F83229E0,SHA256=07EDABBE3FE61C20FA0AA4CFD2827489C82368D6C58B1A0240557B88C8814DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.239{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826797725E34DCA6F6BDBE8880CAF349,SHA256=9D654D173455A5C02E7209F76507E65DBBCD7F3938A89241DA6A944DF2DB21D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.233{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.231{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.229{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.226{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.224{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.221{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.220{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.217{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.214{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.212{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.205{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.192{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.189{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.188{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.188{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.177{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.168{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.151{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.146{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.138{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.134{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.132{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.130{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.123{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.122{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.121{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.120{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.119{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.117{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.114{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.112{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.108{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.106{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.102{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.097{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.095{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.085{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.079{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.074{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.067{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.055{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.049{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.026{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.021{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.015{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000316199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.008{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000304170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:57.546{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E0121661F6983A1081D7E06C999CD2,SHA256=E10187B072224842DAF531E1ADC7C8488C6ADDD93FF0079946B8602EDE7D0B47,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.722{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.722{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.722{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000316302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:54.931{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55394-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000316301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.538{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.538{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.538{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.538{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.538{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.538{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.538{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000316287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.522{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.521{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.521{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.520{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.520{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.520{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.519{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000316269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.519{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.519{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.517{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.517{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000316265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.517{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.516{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.515{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.515{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000316261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.514{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.514{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000316259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.514{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.514{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.514{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.514{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.514{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.514{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.508{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.508{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.508{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.507{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:57.501{F6DB49F2-F931-6305-EA05-000000007602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:58.664{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13072DCD8423D1EE677676DE2EF70F2,SHA256=2BE698AC7AA958931675262E2F8700B2893F528B10B45C40C447C6626018E81A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.984{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.984{F6DB49F2-F932-6305-EC05-000000007602}52883756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.984{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.984{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.786{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.786{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.786{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.786{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.786{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.786{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.786{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.786{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000316375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.770{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.769{F6DB49F2-F932-6305-EC05-000000007602}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000316363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:56.401{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55395-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000316362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.268{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.268{F6DB49F2-F932-6305-EB05-000000007602}51043508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.268{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.268{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.121{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.121{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.121{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.121{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.121{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.121{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.121{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.121{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.116{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.115{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000316319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000316316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.103{F6DB49F2-F932-6305-EB05-000000007602}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.100{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2B049FD1BFED1622A0E9CAA0E7D2E7,SHA256=1826443E1F15C1793B0C9FB178226571B38B6475BE761909EEB413BA10AB2B5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:55.631{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61529-false10.0.1.12-8000- 354300x8000000000000000304171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:55.441{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61528-false169.254.169.254-80http 23542300x8000000000000000304174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:10:59.913{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9ECBD486618B04AFBED0B8F092481F3,SHA256=C56572BB62D1015CD5155B9710332E49E085BA8E3C3F977D78761BBEB6DD618E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.889{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5258D5230725C2917AA753E2F85CE80B,SHA256=870F8734473EDE2D9D2BEF26780705F1C96DCB508E7F03BE104B305866E6F9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.842{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C62B12BA1DD6FB731854D5A74CF895,SHA256=07600A6800065F0FDCD4953891AAC4C21E7A8A793B569F02815DAE2E78F7217A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.583{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.583{F6DB49F2-F933-6305-ED05-000000007602}5584856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.583{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.583{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.452{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.452{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.452{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.452{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.452{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.452{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.452{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.452{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000316439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000316435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000316433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000316430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0C00-000000007602}7203280C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.436{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.437{F6DB49F2-F933-6305-ED05-000000007602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.237{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807088C281F531EBD1590D4EEB4AC543,SHA256=B5355B0776631CFA45854B14281C0261BF956B8612882312B8350FB50ECBA928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:59.217{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B750214A2D75A84BC3EBE61AC90810D5,SHA256=F21B8A9ABA5B3C07E7D2263C03CAFF4E0F72A1E1A19D704034EB5DFE9A52919B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:10:58.685{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55396-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:00.252{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D22485E90D57177FEBD8B37789A9E36,SHA256=4B9610E77A09128CCD22C34F0193DA8F7CF6E46254F4F6E8C5DAE06482597E56,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.664{D25361F1-D528-6305-3001-000000007502}4184C:\Windows\System32\taskhostw.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 23542300x8000000000000000304243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.703{D25361F1-F934-6305-9005-000000007502}6004ATTACKRANGE\AdministratorC:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\0[1].txtMD5=6A4F2CC239AC64106B5B61CD9C59A349,SHA256=EAC1976D9A1F588524AA59B55EB56FB513F4C0C29B5CEEAA5AF30E5712AFB834,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.664{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\urlmon.dll11.00.14393.5291 (rs1_release.220806-1444)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=EB23BDE140B2A7A40A10923024B4B945,SHA256=F839955D9722980FEC4540AC2FFE3C8225434A40FDF12C7F6A67E9FF3B7AA7E8,IMPHASH=E530C982EE775310D0834EA7C551BBFDtrueMicrosoft WindowsValid 11241100x8000000000000000304241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.686{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\0[1].txt2022-08-24 10:11:00.686 734700x8000000000000000304240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.686{D25361F1-D528-6305-3001-000000007502}4184C:\Windows\System32\taskhostw.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 13241300x8000000000000000304239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:00.664{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000304238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:00.664{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x8000000000000000304237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:00.664{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000304236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:00.664{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x8000000000000000304235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.633{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 10341000x8000000000000000304234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.633{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000304233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:00.633{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 13241300x8000000000000000304232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:00.633{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 734700x8000000000000000304231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.601{D25361F1-D528-6305-3001-000000007502}4184C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 13241300x8000000000000000304230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:00.586{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 734700x8000000000000000304229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.586{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 13241300x8000000000000000304228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:00.586{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 734700x8000000000000000304227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.585{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 13241300x8000000000000000304226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:00.584{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x8000000000000000304225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.583{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000304224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.564{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=44DF25F229E9374FA1290BE1CA03026B,SHA256=A446A296E85934FD9D10D7BD5B086FE6B4972FD7E93D4CC0ADC1068DD7A5AD81,IMPHASH=35501E61EE90F9745FCEA0F1F844350FtrueMicrosoft WindowsValid 734700x8000000000000000304223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.564{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 734700x8000000000000000304222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.564{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.564{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000304220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.564{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.564{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.564{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000304217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.564{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\iertutil.dll11.00.14393.5291 (rs1_release.220806-1444)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=52FD1288FED0BD435BBA02023D8A5394,SHA256=C277A8E6B6E25656085647270AF0D6673DD3C6B29C99260825CD5909FCB82549,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000304216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.548{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000304215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.548{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000304214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.548{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000304213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.548{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 734700x8000000000000000304212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.533{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\wininet.dll11.00.14393.5127 (rs1_release_inmarket.220514-1756)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB9D348470B507BC5761495A04335B06,SHA256=F538BC5C83DC2A3ECAF99BA1786066A6D511DA2BC3971B937882171315AA46C0,IMPHASH=3A3043B2614699B8AF49F62AD14660B1trueMicrosoft WindowsValid 734700x8000000000000000304211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.486{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000304210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x8000000000000000304209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Temp\upload_files\c2_agent.exe-----MD5=54DC70B4DDC0747D4ACB035A8DCA0F2A,SHA256=D3FC9AB03C621BBE4AAC12B3C10916E4157176BDDF9D9F22F5C4D927A5F67064,IMPHASH=A0E97A24ECFBE5C6C399A4ACFE90B744false-Unavailable 734700x8000000000000000304208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.486{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000304207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.486{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000304206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.485{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000304205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\System32\cmd.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x8000000000000000304204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.484{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000304203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.484{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000304202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.483{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000304201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.483{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000304200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.482{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000304199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.481{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.481{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.481{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.481{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000304195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.480{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000304194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.480{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000304193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000304189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000304185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F902-6305-8E05-000000007502}5886416C:\Windows\system32\conhost.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000304181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-D525-6305-2201-000000007502}8203248C:\Windows\system32\csrss.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.464{D25361F1-F902-6305-8D05-000000007502}8607052C:\Windows\system32\cmd.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.462{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe-----c2_agent.exe 10.0.1.16C:\Temp\upload_files\ATTACKRANGE\Administrator{D25361F1-D527-6305-3399-180000000000}0x1899332HighMD5=54DC70B4DDC0747D4ACB035A8DCA0F2A,SHA256=D3FC9AB03C621BBE4AAC12B3C10916E4157176BDDF9D9F22F5C4D927A5F67064,IMPHASH=A0E97A24ECFBE5C6C399A4ACFE90B744{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp\upload_files" 354300x8000000000000000316484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:00.016{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55397-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000316483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:01.382{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A4B2D6715FB5932BA581CBB5155DEC,SHA256=889D672335CD0E8CC117A323248EAEC60E16A6E2C08076E8D9D90E506421ECE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.481{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6FE5B064D8207493F28DA4EC2A77FD3,SHA256=DF933887CFC31FB4BA547EF43BA62F840A94C305BE8F85B55D7E2167033B8F25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.203{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.203{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.203{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.203{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.202{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.200{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.200{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000304253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.152{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9DE40102FFA7786DC44557E76F9EB2DF,SHA256=1AC4A980D8C3006B6C29B8839F34161E55D6E0A6899FA2F7ED03B57CA5ED1845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.145{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF842926913233B0D3CC6FFE6C59DC2,SHA256=1B15E685FF9FC7171CE9A7C7E168B0D7EE8C570CE44A4391B6AD1EFAF7DE88D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.135{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964EAD02742F2ABDF8FEB96D5C0589B3,SHA256=18CF54E50FE87AD6D2BCAD89A5F78CDD433DFB99C73F60AF20F8A06275375B7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.110{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.110{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.110{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.103{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.101{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.101{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 354300x8000000000000000316486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:00.898{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55398-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:02.517{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1707D2B4782CFA45907DF8318446C26,SHA256=0F89665F84B851EE36EDC02D01AEF49B9FB8AB9F5E643D694EBCFF2E936C0C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:02.233{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06F2FD0A9D31422F886DEFE60B95052,SHA256=7BB49AF3B10818EA434E00886E1BB0B020F562D6D6D3A1F6FFE9B25A0B242E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:03.538{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF86710D87126E5B60840D0EBED5579,SHA256=25587217AD90DC9D8A3B08FE10135A07AD30EB82161A9A12E7CD86724828DBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:03.266{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BB4CB099E83E3C2DD0FE2C44F94D1C,SHA256=0EC843890F8FE705B729FBE2F75977566CCE7FFF1B80AC9F5369D942E7F5C165,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:00.150{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61530-false10.0.1.16ip-10-0-1-16.us-east-2.compute.internal8081- 10341000x8000000000000000304264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:03.063{D25361F1-D029-6305-2900-000000007502}26722216C:\Windows\sysmon64.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:03.063{D25361F1-D029-6305-2900-000000007502}26722216C:\Windows\sysmon64.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000316490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:03.097{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55399-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:04.650{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D681DFE0D80175A8036CED99C7D5A23D,SHA256=9584AD6C3C6CDEDA5A0ADC2CC1C2330355132F2418B719AE80F03968738CC3EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.702{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.691{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.688{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.684{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.681{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.651{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.645{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.628{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.623{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.612{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.602{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.594{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.580{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.573{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.565{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.557{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.497{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.493{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000304268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:04.383{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA268DBDBEE7E1657023390F026A8F98,SHA256=BBB5BFFD3C7B45C297363A5E6FCDBA7CF63139FFD28605B85BD8EDAF027D1A9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.532{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61149- 23542300x8000000000000000316488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:04.304{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-170MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:05.781{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CB3996D75A56A5D2EB8C037C936E49,SHA256=6B8B68C91880E47B6206856829B657839CB132D6834972C560D24E8BA237A66A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000304319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000304318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000304317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000304316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000304315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000304313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000304312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000304311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000304307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000304306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x8000000000000000304305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000304299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.982{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.387{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CB72B3A8BACECE8AC113571315930D,SHA256=97283556DDCB768A0D396EBBF95AE6C996AE79FE9145148D9DB6CE71D325EDC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:05.298{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-171MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:01.566{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61531-false10.0.1.12-8000- 10341000x8000000000000000304291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.193{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.190{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.187{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.182{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.179{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000316493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:06.863{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB87E23A329800C394D076513B0A85E4,SHA256=135C1AF7537763160FD5414A47716F89B9F2D6C8392BD72628B56337BD09E771,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.850{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000304400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.850{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000304399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.850{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000304398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000304397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.687{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000304396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.687{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000304395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.687{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000304394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.687{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000304393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.687{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000304392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.687{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000304391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.687{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000304390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.687{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000304389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000304388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000304384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000304382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000304381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000304380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000304379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000304377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000304376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000304375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000304373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000304371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000304369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000304367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000304366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000304365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000304364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000304363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 23542300x8000000000000000304361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F3F911979ADB74C3F7E4A753116220,SHA256=E614D09E97178F9998D314DFE6FBD3E93F7869C85A7E866CC9F47AC8D09FE166,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000304357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000304352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.665{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.666{D25361F1-F93A-6305-9205-000000007502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.329{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=8B8F40A2C181930A59B16A851757A080,SHA256=83D1D6BA23731056F6865F5F03D72C9C6ABCF4147358DEEABB92BE192C33D5C9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.150{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000304343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.150{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000304342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.150{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000304341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.002{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000304340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.002{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000304339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.002{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000304338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.002{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000304337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.002{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000304336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.002{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000304335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.002{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000304334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:06.002{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000304333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000304332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000304331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000304326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000304325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000304323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:05.987{D25361F1-F939-6305-9105-000000007502}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 23542300x8000000000000000316496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:07.966{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5022F0D427B2CE920ECEAC3433167672,SHA256=B1DCE49647C10D1D3E756DEF6A45849AB2D2B9D04922194790982CE5E45A9BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.982{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93CA706418D7CC28370ADF4350458C7,SHA256=4311D802EA1849374C7CFBCECB98EC288ED41155A38CD46E4B120B779C14FE5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.919{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.916{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.916{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.906{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.902{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.900{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.897{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.893{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.888{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.886{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.880{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 734700x8000000000000000304529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.873{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000304528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.872{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000304527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.872{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000304526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.870{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000304525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.869{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 354300x8000000000000000316495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:05.779{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55401-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000316494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:05.384{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55400-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000304524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.868{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000304523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.868{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000304522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.868{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000304521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.860{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000304520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.860{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.859{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.859{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x8000000000000000304517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.859{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 734700x8000000000000000304516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.859{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.858{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000304514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.858{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000304513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.858{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.858{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000304511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.858{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.857{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.857{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.857{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000304507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.857{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000304506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.857{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000304505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.857{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000304504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.857{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.857{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000304502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.856{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000304501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.856{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000304500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.856{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.856{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.856{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.856{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000304496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.856{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000304495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.856{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000304494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.855{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000304493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.855{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.854{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.853{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.853{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.852{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000304488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.852{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.852{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.851{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.851{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.851{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.851{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.851{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.847{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000304480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.840{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.810{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.801{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.788{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.781{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.780{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.777{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.774{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.771{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.770{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.767{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.766{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000304468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.734{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B14E0ECBC0DBDEF8C77CC23D1E16E9,SHA256=B078EAFB091EBCE450DE255F9421B22283C58A31DCEA7C0CB69CB0EAAC462F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.518{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC6A01A9891B0E08D392AE16753868F,SHA256=D24C4EEEF0AB76E7D8EFF2EF1B378643C0FE1B0EAA85F36C246003C84B44F99E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.463{D25361F1-F93B-6305-9305-000000007502}41524832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.463{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000304464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.463{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000304463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.436{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF2592E980BC1CC40DCF2F388232524,SHA256=62556DAF6BCF9BCF3453DC859BAC2DD69F2706938FDAB5A69A634D54AB8D374C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.408{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.408{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.408{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.408{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.408{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.408{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000304456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.405{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BB2A1634FC10727644553FE5DA55EE91,SHA256=4192157FD272C6E4547844FFCF20EC39C4250F9EB0861F3B34441BD94FBBEDDB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.314{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000304454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.313{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000304453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.313{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000304452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.312{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000304451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.308{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000304450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.308{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000304449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.308{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000304448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.307{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000304447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.307{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000304446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000304445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000304444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000304443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000304442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000304441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000304440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000304439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000304438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000304437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000304436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000304435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000304434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000304433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000304431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000304423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000304419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000304414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.287{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.284{D25361F1-F93B-6305-9305-000000007502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000304407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.253{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.252{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.243{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.241{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 10341000x8000000000000000304403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.235{D25361F1-D530-6305-4001-000000007502}40323452C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AE850) 23542300x8000000000000000304402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.134{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFC111AB5CB81897EA5365EF4C43EF8D,SHA256=2CBDE5AEFBB072D13C8B509225039E3B6DF8323B62B0D782FFDBD39D2B25DFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:08.988{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995940BAC67286A5B1C3058D210F6DED,SHA256=2CB0E5C67CD6B85CE3930D122AD406E012C7C816564875095F4D02ACC09FD0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.873{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8088AEF21119F3E08D5E51DA6A129E,SHA256=9919D563020F1E46AC92BCFE4BA83D5EB107914F7AB88C34B6FF0F84E187DF7D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.857{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000304596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.857{D25361F1-F93C-6305-9505-000000007502}46522460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.857{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000304594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.857{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000304593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.658{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000304592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.658{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000304591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.658{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000304590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.658{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000304589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.658{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000304588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.658{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000304587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000304586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000304585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000304584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000304579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000304577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000304576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000304572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000304571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000304570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000304569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000304568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000304566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000304565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000304562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000304560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000304559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000304558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000304557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000304552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.642{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.641{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.641{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.641{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.641{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.637{D25361F1-F93C-6305-9505-000000007502}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000304545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.227{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000304544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.227{D25361F1-F93B-6305-9405-000000007502}28766976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.226{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000304542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:08.226{D25361F1-F93B-6305-9405-000000007502}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000304651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.973{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9382D0CB6744A82C65D80DF84464ED,SHA256=E4E07DECB9F5AF4BEB7A422E4A79F5326AD561AF6738A34A0B218FEEB9AF68BB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.529{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000304649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.529{D25361F1-F93D-6305-9605-000000007502}23883004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.529{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000304647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.528{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000304646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:07.508{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61532-false10.0.1.12-8000- 734700x8000000000000000304645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.342{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000304644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.342{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000304643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.342{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000304642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.342{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000304641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.342{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000304640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.342{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000304639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.342{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000304638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.342{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000304637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.338{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000304636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.338{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000304631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000304629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000304626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000304624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000304623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000304622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000304621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000304619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000304618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000304617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000304613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000304612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000304611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000304610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000304605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.321{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.322{D25361F1-F93D-6305-9605-000000007502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000316499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:07.566{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55402-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:10.006{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397F376D61F72BF773149F214FC7C069,SHA256=32A31283DB797383275982E1D3697F1C8AAFE070DA5907BC9E7E6C79FA58E362,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.937{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\mintdh.dll10.0.14393.0 (rs1_release.160715-1616)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmintdh.dllMD5=32254E75260F1CAE3AB9EAC044B344B7,SHA256=B714E3CDEB23E63894D62E9335F51E301A9093F263623CCEFA2F674AABE7D629,IMPHASH=92D4FBE8F70FD95D329EA4882A8C3278trueMicrosoft WindowsValid 734700x8000000000000000304848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.984{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=3E6A8784A88486C59BA7E05BD97BED6F,SHA256=233AC68F140E2A5D856AE0DAEAB6930BD368F517B211FE1FC0FFCB55B915617A,IMPHASH=A28EA9ED587BD4511849B7BB44021022trueMicrosoft WindowsValid 734700x8000000000000000304847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.984{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000304846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8,IMPHASH=21CAA202FAEFBDF78B727F64E8C79245trueMicrosoft WindowsValid 734700x8000000000000000304845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\tdh.dll10.0.14393.5125 (rs1_release.220429-1732)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationtdh.dllMD5=6F455C95F294B3A3E34102BEF294D45C,SHA256=2182F234811B1DF1A366AE925A8167C0BC519AEBAF55A92887E36651EBA7E347,IMPHASH=E0A9B1840595F8507313FB797C5187E6trueMicrosoft WindowsValid 734700x8000000000000000304844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\iertutil.dll11.00.14393.5291 (rs1_release.220806-1444)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=52FD1288FED0BD435BBA02023D8A5394,SHA256=C277A8E6B6E25656085647270AF0D6673DD3C6B29C99260825CD5909FCB82549,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000304843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000304840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000304839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000304838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000304837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000304836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000304835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 10341000x8000000000000000304834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.960{D25361F1-F93E-6305-9B05-000000007502}55326724C:\Windows\system32\WerFault.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\faultrep.dll+ef98|C:\Windows\system32\faultrep.dll+8602|C:\Windows\system32\faultrep.dll+70ac|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.959{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000304832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.954{D25361F1-F93E-6305-9A05-000000007502}32046812C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.946{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000304830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.946{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 734700x8000000000000000304829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.945{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 10341000x8000000000000000304828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.944{D25361F1-F93E-6305-9B05-000000007502}55326724C:\Windows\system32\WerFault.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\faultrep.dll+7f4f|C:\Windows\system32\faultrep.dll+70ac|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.944{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4704 (rs1_release.211004-1917)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=7E027B814172825204990B59AA353DB6,SHA256=F6F12530FE0312540C3C1310D618EE4D9005199E90E1BB9B385CA086C54E20C1,IMPHASH=D4255358570CE65AE9390E07B2795ADCtrueMicrosoft WindowsValid 10341000x8000000000000000304826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.944{D25361F1-D01B-6305-1600-000000007502}12882000C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.942{D25361F1-D01B-6305-1600-000000007502}12881324C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.942{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000304823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\AppXDeploymentServer.dll10.0.14393.5066 (rs1_release.220401-1841)AppX Deployment Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentServer.dllMD5=A7076F38D29D5B8FD017CCA2D2921E63,SHA256=763F45580B9D7EE2B9E7A09D82E8A988248302350F84A596126E392ED341B234,IMPHASH=17D28C3D59D0E856F7CB5D0D40C782C8trueMicrosoft WindowsValid 734700x8000000000000000304822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.942{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000304821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.941{D25361F1-F93E-6305-9B05-000000007502}55326724C:\Windows\system32\WerFault.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+15a6e|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.941{D25361F1-F93E-6305-9B05-000000007502}55326724C:\Windows\system32\WerFault.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+1599f|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.941{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 734700x8000000000000000304818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000304817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000304816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000304815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000304814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000304813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000304812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000304811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.919{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862,IMPHASH=53CA7FAF1CEDFB0EC8CCD763B974D4A1trueMicrosoft WindowsValid 734700x8000000000000000304808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000304807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000304806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6trueMicrosoft WindowsValid 734700x8000000000000000304803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000304800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000304799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000304798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\Faultrep.dll10.0.14393.4704 (rs1_release.211004-1917)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=3FDF46C5A31DF9DF51A9A35A9C8384E7,SHA256=5281D1A922E0D20A317A463DE785AD46EB230AACB570AFF682BAB88797A33300,IMPHASH=A01D9CC1D2689B25F39978D6E8E8DAEBtrueMicrosoft WindowsValid 734700x8000000000000000304797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000304796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000304795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000304794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000304793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\wer.dll10.0.14393.4704 (rs1_release.211004-1917)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=7E027B814172825204990B59AA353DB6,SHA256=F6F12530FE0312540C3C1310D618EE4D9005199E90E1BB9B385CA086C54E20C1,IMPHASH=D4255358570CE65AE9390E07B2795ADCtrueMicrosoft WindowsValid 734700x8000000000000000304789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000304788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000304787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000304786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000304784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.904{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x8000000000000000304781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-D525-6305-2201-000000007502}8201008C:\Windows\system32\csrss.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000304780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000304777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.888{D25361F1-F93E-6305-9905-000000007502}41045928C:\Windows\System32\svchost.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|c:\windows\system32\faultrep.dll+695b|c:\windows\system32\faultrep.dll+6fc1|c:\windows\system32\wersvc.dll+af4c|c:\windows\system32\wersvc.dll+86c3|c:\windows\system32\wersvc.dll+7624|c:\windows\system32\wersvc.dll+6b23|c:\windows\system32\wersvc.dll+5508|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.891{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 2140 -s 116C:\Windows\system32\ATTACKRANGE\Administrator{D25361F1-D527-6305-3399-180000000000}0x1899332HighMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6{D25361F1-F93E-6305-9705-000000007502}2140C:\Windows\System32\cmd.exe"C:\windows\system32\cmd.exe" 734700x8000000000000000304770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 10341000x8000000000000000304769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000304766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x8000000000000000304765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}41045928C:\Windows\System32\svchost.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+aec9|c:\windows\system32\wersvc.dll+86c3|c:\windows\system32\wersvc.dll+7624|c:\windows\system32\wersvc.dll+6b23|c:\windows\system32\wersvc.dll+5508|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}41045928C:\Windows\System32\svchost.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+acb9|c:\windows\system32\wersvc.dll+86c3|c:\windows\system32\wersvc.dll+7624|c:\windows\system32\wersvc.dll+6b23|c:\windows\system32\wersvc.dll+5508|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}41045928C:\Windows\System32\svchost.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+88e0|c:\windows\system32\wersvc.dll+857c|c:\windows\system32\wersvc.dll+7624|c:\windows\system32\wersvc.dll+6b23|c:\windows\system32\wersvc.dll+5508|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}41045928C:\Windows\System32\svchost.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1441C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+6ee0|c:\windows\system32\wersvc.dll+6b23|c:\windows\system32\wersvc.dll+5508|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\Faultrep.dll10.0.14393.4704 (rs1_release.211004-1917)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=3FDF46C5A31DF9DF51A9A35A9C8384E7,SHA256=5281D1A922E0D20A317A463DE785AD46EB230AACB570AFF682BAB88797A33300,IMPHASH=A01D9CC1D2689B25F39978D6E8E8DAEBtrueMicrosoft WindowsValid 734700x8000000000000000304760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 10341000x8000000000000000304759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-D019-6305-0A00-000000007502}6166556C:\Windows\system32\services.exe{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.873{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 734700x8000000000000000304756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000304750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\AppXDeploymentClient.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)AppX Deployment Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentClient.dllMD5=C1B7C819744E85143C8D45AA3A169D95,SHA256=37F2C1098F17F739867866D49A63FB13F2BC246F3AED4998E0F84A8DAA876B6B,IMPHASH=25D44439F18A7678D22EBE0E51E0B433trueMicrosoft WindowsValid 734700x8000000000000000304749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924trueMicrosoft Windows PublisherValid 10341000x8000000000000000304736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-D019-6305-0A00-000000007502}6166776C:\Windows\system32\services.exe{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000304733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000304732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\weretw.dll10.0.14393.4169 (rs1_release.210107-1130)WERETW.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWERETW.DLLMD5=1325BA707320C3DC1024560DEA903AD9,SHA256=227376F2B461D7B2539F223E92CFBCBD5EA7DAE182BF277D7D0B2951CAC42B8A,IMPHASH=98C7835D04831B61A0DE6D0C77BFC4A6trueMicrosoft WindowsValid 734700x8000000000000000304731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.857{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x8000000000000000304730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000304725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\wersvc.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Error Reporting ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationwersvcMD5=6B25CFD60862B1AEB62E7B3EF9FDDC74,SHA256=DEAFB10131391F8FFBAC2A2A01897223037FC21F23F3C2CF4028EBC3C343E3F7,IMPHASH=CB59564E959F5AF52A6298B2717AE1A5trueMicrosoft WindowsValid 734700x8000000000000000304722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4704 (rs1_release.211004-1917)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=7E027B814172825204990B59AA353DB6,SHA256=F6F12530FE0312540C3C1310D618EE4D9005199E90E1BB9B385CA086C54E20C1,IMPHASH=D4255358570CE65AE9390E07B2795ADCtrueMicrosoft WindowsValid 734700x8000000000000000304721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000304720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000304719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000304717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000304715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.841{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924trueMicrosoft Windows PublisherValid 734700x8000000000000000304713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000304712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-D019-6305-0A00-000000007502}6166776C:\Windows\system32\services.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000304707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000304704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000304703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000304702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x8000000000000000304697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000304696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 10341000x8000000000000000304695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-D019-6305-0A00-000000007502}6161748C:\Windows\system32\services.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000304692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000304691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28trueMicrosoft WindowsValid 734700x8000000000000000304690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000304685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.819{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000304684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000304682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000304680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000304676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D525-6305-2201-000000007502}8201008C:\Windows\system32\csrss.exe{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9705-000000007502}21406692C:\windows\system32\cmd.exe{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+5fc32|C:\Windows\System32\KERNELBASE.dll+5f7c6|C:\Windows\System32\KERNEL32.DLL+60ca6|UNKNOWN(000002099EBB0055) 154100x8000000000000000304669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.812{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalcC:\Temp\upload_files\ATTACKRANGE\Administrator{D25361F1-D527-6305-3399-180000000000}0x1899332HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{D25361F1-F93E-6305-9705-000000007502}2140C:\Windows\System32\cmd.exe"C:\windows\system32\cmd.exe" 23542300x8000000000000000304668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F934-6305-9005-000000007502}6004ATTACKRANGE\AdministratorC:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\cmd[1].txtMD5=F9C645B5CE98A6B63028C8979F447C1A,SHA256=2B119ACCA894746D84E78B24234141EF73EB4658718A0918BDB9FFFD104094A7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9705-000000007502}2140C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000304666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F902-6305-8E05-000000007502}5886416C:\Windows\system32\conhost.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D029-6305-2900-000000007502}26722280C:\Windows\sysmon64.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+18da1|C:\Windows\sysmon64.exe+11484|C:\Windows\sysmon64.exe+b0591|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9705-000000007502}2140C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9705-000000007502}2140C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9705-000000007502}2140C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9705-000000007502}2140C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000304660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x8000000000000000304659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe66920x000002099EBB0000-- 10341000x8000000000000000304658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-D525-6305-2201-000000007502}8201008C:\Windows\system32\csrss.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F934-6305-9005-000000007502}60046036C:\Temp\upload_files\c2_agent.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+5fc32|C:\Windows\System32\KERNELBASE.dll+5f7c6|C:\Windows\System32\KERNEL32.DLL+1bcc3|C:\Temp\upload_files\c2_agent.exe+4ab7|C:\Temp\upload_files\c2_agent.exe+595f|C:\Temp\upload_files\c2_agent.exe+5aa3|C:\Temp\upload_files\c2_agent.exe+5d1c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.804{D25361F1-F93E-6305-9705-000000007502}2140C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\windows\system32\cmd.exe"C:\Temp\upload_files\ATTACKRANGE\Administrator{D25361F1-D527-6305-3399-180000000000}0x1899332HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exec2_agent.exe 10.0.1.16 11241100x8000000000000000304652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.788{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\cmd[1].txt2022-08-24 10:11:10.788 734700x8000000000000000305154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exeC:\Windows\System32\pcadm.dll10.0.14393.5291 (rs1_release.220806-1444)Program Compatibility Assistant Diagnostic ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=5B10F24BC9E1A2A2C52AC326F7A21625,SHA256=89B794CD384C1AE92D5EE6C303A01DE9F9A05C400F7C378191899E191B425C9A,IMPHASH=87A3AD703BADD3DFEF6CD8454A33C4CEtrueMicrosoft WindowsValid 734700x8000000000000000305153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\System32\svchost.exeC:\Windows\System32\fthsvc.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Windows Fault Tolerant Heap Diagnostic ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporationfthsvc.dllMD5=899E60FF3E315B4F05F591551A134835,SHA256=5F26E8E42740C9D72F71752F66D660FB3F0D52D532BAFE85310B51D377BA6081,IMPHASH=1B7508300DDB76E8C10637683D00FD51trueMicrosoft WindowsValid 354300x8000000000000000316501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:09.758{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55403-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:11.115{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129313A4EB9118B08890FB1C5FAE0AAD,SHA256=1337305DC1A42D7D9A1BB5DE68250ED94F76392B8B08E069BA4290B1813C1D7C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000305152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\System32\svchost.exeC:\Windows\System32\wdi.dll10.0.14393.0 (rs1_release.160715-1616)Windows Diagnostic InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationwdi.dllMD5=E7A7E8803E66B7CCED95D327A4DBC135,SHA256=401ECD953D4014A95C9022822D9ACEC1A68C917281DBA2365503A473FC6D9507,IMPHASH=C4D742A0EA60EA0359B282ACF9999522trueMicrosoft WindowsValid 734700x8000000000000000305151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exeC:\Windows\System32\wdi.dll10.0.14393.0 (rs1_release.160715-1616)Windows Diagnostic InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationwdi.dllMD5=E7A7E8803E66B7CCED95D327A4DBC135,SHA256=401ECD953D4014A95C9022822D9ACEC1A68C917281DBA2365503A473FC6D9507,IMPHASH=C4D742A0EA60EA0359B282ACF9999522trueMicrosoft WindowsValid 17141700x8000000000000000305150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-CreatePipe2022-08-24 10:11:11.976{D25361F1-D01B-6305-1100-000000007502}380\ProtectedPrefix\LocalService\FTHPIPEC:\Windows\system32\svchost.exe 13241300x8000000000000000305149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.976{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\FTH\CheckPointTimeDWORD (0x0d37d7a3) 734700x8000000000000000305148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x8000000000000000305147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975E,IMPHASH=EE6E7AA59AC992D3937C01196243C8D7trueMicrosoft WindowsValid 734700x8000000000000000305146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4704 (rs1_release.211004-1917)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=7E027B814172825204990B59AA353DB6,SHA256=F6F12530FE0312540C3C1310D618EE4D9005199E90E1BB9B385CA086C54E20C1,IMPHASH=D4255358570CE65AE9390E07B2795ADCtrueMicrosoft WindowsValid 734700x8000000000000000305145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\System32\svchost.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 734700x8000000000000000305144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\System32\svchost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 10341000x8000000000000000305143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000305140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.931{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000305139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.929{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000305138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.929{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000305137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.916{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.914{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.914{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000305134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.902{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=56D404FF0480F0E2F182319E1849B58D,SHA256=0A667F28313ED2F5ABC7758BB2AAAE94F13E36F32AE7CFCF314D13B6D1A4067C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000305133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.875{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194D93E11847541A9C45326727005B88,SHA256=7F613201DB8F83C9D3EE72D06F1F69E14D4CC72E6399DD6D035B84D4507456F2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000305132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.683{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=3737D7B3A07BD11A31CD91B11F7EBA46,SHA256=528C1810C991DD93FA25D6A67A1415BC0A189189AEE0A62C0C79A43AA594E978,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 10341000x8000000000000000305131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.848{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.848{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.844{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000305128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.549{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\msls31.dll3.10.349.0Microsoft Line Services library fileMicrosoft® Line ServicesMicrosoft CorporationMSLS31.DLLMD5=1B3268228F5D58D543A3CB0C24696CBE,SHA256=A701E9843C81A9E9BA2A3EAE9908B7F690D9B7F95E5A7384F61D60DB046B9315,IMPHASH=22022E58D2351099BED48D9D44B57787trueMicrosoft WindowsValid 734700x8000000000000000305127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.546{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=ACF31D492FD578C0374EB20CC393BE98,SHA256=D49ECA60A94B30DB87CDCEB36F284D273E080E8689E4B0F99D5BD44FFD117A92,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000305126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.542{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\riched20.dll5.31.23.1231Rich Text Edit Control, v3.1Microsoft RichEdit Control, version 3.1Microsoft Corporationriched20.dllMD5=0E825440832D043069B3C8E5735663F6,SHA256=6CA39AF0D27E33E9CB3422AE04EBEF8D59F7E7E9963D6566FEBBFEA900FF082E,IMPHASH=2E5A33693B3ACE324BE9029B425567C9trueMicrosoft WindowsValid 734700x8000000000000000305125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.473{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\werui.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Error Reporting UI DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwerui.dllMD5=725FDFF315C108EF2B2A17C3CF39D726,SHA256=1AFCFCB4567F3267A52F37750B0C56F719001912B51A0078900FE64C675CE3BA,IMPHASH=3788FF3ECC95EC4BD46EBEDBC5DCB78EtrueMicrosoft WindowsValid 734700x8000000000000000305124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.404{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\DbgModel.dll10.0.14321.1024 (debuggers(dbg).190305-1856)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=5C0CB6EEB206114097FF8AE23623EABC,SHA256=B831287C9EDA9AE16291EEE1B3E3B62C9EC6A3FAFFDD215DC294AEBE7D741460,IMPHASH=582F1BF95ACB46724010A4BAB33FFA2BtrueMicrosoft WindowsValid 734700x8000000000000000305123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.739{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000305122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.735{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.735{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.735{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.735{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.732{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.732{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.732{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.727{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 13241300x8000000000000000305114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.722{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000305113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.722{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jva32pnyp.rkrBinary Data 10341000x8000000000000000305112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.721{D25361F1-D528-6305-3A01-000000007502}47606656C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.721{D25361F1-D528-6305-3A01-000000007502}47606656C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.720{D25361F1-D528-6305-3A01-000000007502}47606656C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000305109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.720{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000102E6\VirtualDesktopBinary Data 10341000x8000000000000000305108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.719{D25361F1-D528-6305-3A01-000000007502}47604508C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.719{D25361F1-D528-6305-3A01-000000007502}47604508C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.719{D25361F1-D528-6305-3A01-000000007502}47604508C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.718{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.718{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.715{D25361F1-D528-6305-3A01-000000007502}47604508C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000305102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.695{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exeHKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles\FirstLevelConsentDialogQWORD (0x00000000-0x000102e6) 13241300x8000000000000000305101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.681{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles\FirstLevelConsentDialogQWORD (0x00000000-0x000102e6) 734700x8000000000000000305100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.391{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000305099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.554{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 13241300x8000000000000000305098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.664{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000305097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.664{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 10341000x8000000000000000305096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.662{D25361F1-D528-6305-3A01-000000007502}47606656C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.658{D25361F1-D528-6305-3A01-000000007502}47606656C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.657{D25361F1-D528-6305-3A01-000000007502}47606656C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.654{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.654{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.654{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.652{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.652{D25361F1-D528-6305-3001-000000007502}41844392C:\Windows\system32\taskhostw.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.644{D25361F1-D528-6305-3001-000000007502}41844392C:\Windows\system32\taskhostw.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000305087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.636{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000030290\VirtualDesktopBinary Data 10341000x8000000000000000305086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.636{D25361F1-D528-6305-3A01-000000007502}47604508C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.636{D25361F1-D528-6305-3A01-000000007502}47604508C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.636{D25361F1-D528-6305-3A01-000000007502}47604508C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.635{D25361F1-D528-6305-3A01-000000007502}47604508C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.635{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.634{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.634{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.634{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000305078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.388{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=551A3B8C43F0C5977DC9F0EB118544C0,SHA256=0198852F19BAF5F32CECC8B6A1543D068B3C8DEFA6A71137C951D267D737D9DB,IMPHASH=3C1576CA310AF2169815CAE63D89B47FtrueMicrosoft WindowsValid 23542300x8000000000000000305077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.600{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2FDE951E03328B36CE7E9B71824FE6,SHA256=FD8740CE9920869A491AF268714D2F349FE9BF165F72F73DCF3F00F366077C73,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000305076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.561{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 734700x8000000000000000305075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.553{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 10341000x8000000000000000305074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.535{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.535{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.535{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000305071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.386{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 734700x8000000000000000305070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.522{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x8000000000000000305069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.515{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920,IMPHASH=55727E718711848BBCDC7F433974B473trueMicrosoft WindowsValid 10341000x8000000000000000305068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.513{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000305067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.512{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686E,IMPHASH=421DFA99869D231800F1E7ABEE7E4DA4trueMicrosoft WindowsValid 10341000x8000000000000000305066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.511{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.511{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.511{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000305063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.510{D25361F1-F902-6305-8E05-000000007502}5886416C:\Windows\system32\conhost.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000305062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.365{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000305061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.366{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000305060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.366{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000305059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.508{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920,IMPHASH=55727E718711848BBCDC7F433974B473trueMicrosoft WindowsValid 10341000x8000000000000000305058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.506{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000305057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.505{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686E,IMPHASH=421DFA99869D231800F1E7ABEE7E4DA4trueMicrosoft WindowsValid 734700x8000000000000000305056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.349{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXEMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8trueMicrosoft WindowsValid 734700x8000000000000000305055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.497{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920,IMPHASH=55727E718711848BBCDC7F433974B473trueMicrosoft WindowsValid 734700x8000000000000000305054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.492{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000305053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.489{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000305052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.488{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 10341000x8000000000000000305051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.488{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000305050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.487{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686E,IMPHASH=421DFA99869D231800F1E7ABEE7E4DA4trueMicrosoft WindowsValid 734700x8000000000000000305049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.487{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000305048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.484{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920,IMPHASH=55727E718711848BBCDC7F433974B473trueMicrosoft WindowsValid 734700x8000000000000000305047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.483{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000305046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.482{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000305045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.482{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 10341000x8000000000000000305044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.480{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000305043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.479{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686E,IMPHASH=421DFA99869D231800F1E7ABEE7E4DA4trueMicrosoft WindowsValid 734700x8000000000000000305042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.478{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000305041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.476{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x8000000000000000305040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.472{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000305039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.471{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000305038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.471{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000305037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.471{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000305036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.471{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000305035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.274{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046,IMPHASH=563B6F147961D943E0261E05EAD94B56trueMicrosoft WindowsValid 734700x8000000000000000305034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.470{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000305033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.470{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000305032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.470{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000305031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.470{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000305030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.470{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000305029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.470{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000305028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.469{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000305027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.469{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000305026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.469{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000305025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.469{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000305024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.469{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000305023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.469{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000305022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.469{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000305021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.469{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000305020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.468{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000305019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.468{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000305018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.468{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000305017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.467{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000305016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.467{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000305015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.257{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x8000000000000000305014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.467{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000305013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.466{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000305012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.466{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000305011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.466{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000305010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.465{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000305009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.465{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000305008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.464{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000305007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.464{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000305006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.462{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000305005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.462{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000305004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.462{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.462{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.461{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.461{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.461{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.461{D25361F1-F93E-6305-9B05-000000007502}55326724C:\Windows\system32\WerFault.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37bfc|C:\Windows\system32\wer.dll+38154|C:\Windows\system32\wer.dll+38aea|C:\Windows\system32\wer.dll+13ae4|C:\Windows\system32\wer.dll+6306|C:\Windows\system32\faultrep.dll+b4be|C:\Windows\system32\faultrep.dll+8704|C:\Windows\system32\faultrep.dll+70ac|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.461{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000304997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.455{D25361F1-F93F-6305-9D05-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000304996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.457{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 13241300x8000000000000000304995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.456{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 23542300x8000000000000000304994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.455{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CD4D7FBE73D65CEF3632A649215233,SHA256=07AA85E8E79D3E4A76037472A8B715F690438A3FD64462B5B530BFC8AC34DCC7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.257{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=44DF25F229E9374FA1290BE1CA03026B,SHA256=A446A296E85934FD9D10D7BD5B086FE6B4972FD7E93D4CC0ADC1068DD7A5AD81,IMPHASH=35501E61EE90F9745FCEA0F1F844350FtrueMicrosoft WindowsValid 10341000x8000000000000000304992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.445{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.445{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.443{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.443{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000304988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.241{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\ieframe.dll11.00.14393.5291 (rs1_release.220806-1444)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=6329F4135E892B4DC3169BEA689D89E7,SHA256=E4EF2B0881E78EFA1CFD0987EF1259CA0ED7C9BA4429BCE3C63401EEACC79CE0,IMPHASH=5917C913C5FD89360FBD7FB6D32C83A1trueMicrosoft WindowsValid 10341000x8000000000000000304987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.410{D25361F1-F93E-6305-9B05-000000007502}55326724C:\Windows\system32\WerFault.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbgeng.dll+280c4d|C:\Windows\SYSTEM32\dbgeng.dll+27c807|C:\Windows\SYSTEM32\dbgeng.dll+181398|C:\Windows\SYSTEM32\dbgeng.dll+1818e6|C:\Windows\SYSTEM32\dbgeng.dll+18746d|C:\Windows\SYSTEM32\dbgeng.dll+394cb|C:\Windows\SYSTEM32\dbgeng.dll+3932a|C:\Windows\SYSTEM32\dbgeng.dll+4dadb|C:\Windows\system32\faultrep.dll+10f93|C:\Windows\system32\faultrep.dll+968e|C:\Windows\system32\faultrep.dll+b215|C:\Windows\system32\faultrep.dll+8704|C:\Windows\system32\faultrep.dll+70ac|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.407{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000304985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.407{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000304984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.406{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000304983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.399{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000304982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.397{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000304981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.395{D25361F1-D01B-6305-1600-000000007502}12882000C:\Windows\system32\svchost.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.395{D25361F1-D01B-6305-1600-000000007502}12881324C:\Windows\system32\svchost.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.385{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.385{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.385{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.382{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.380{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.380{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000304973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.379{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x8000000000000000304972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.378{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.378{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.378{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.378{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.378{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.378{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9905-000000007502}4104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.378{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.378{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000304964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.377{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5127_none_aec7dd25ddd79049\GdiPlus.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=7278B609C8DAD47E0E93DBB4D49361D1,SHA256=B9FB1418BE46EACB34582BC8F4E867CE4AD7D3C580987AFE0A8EC55ED30A5247,IMPHASH=BC747D18CC28DFF374DB67CDCF580B6BtrueMicrosoft WindowsValid 734700x8000000000000000304963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.363{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000304962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.363{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000304961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.362{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000304960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.362{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000304959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.361{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.361{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000304957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.360{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000304956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.360{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000304955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.360{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000304954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.359{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.359{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000304952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.359{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000304951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.358{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000304950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.358{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000304949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.358{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000304948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.357{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000304947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.357{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000304946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.357{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000304945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.356{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000304944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.354{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000304943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.356{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000304942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.354{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000304941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.354{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000304940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.353{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000304939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.352{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000304938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.351{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000304937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.351{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000304936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.350{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000304935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.345{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.345{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.344{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.344{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.344{D25361F1-D525-6305-2201-000000007502}8203248C:\Windows\system32\csrss.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000304930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.341{D25361F1-F93E-6305-9805-000000007502}67087136C:\windows\system32\calc.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e73b|C:\Windows\System32\windows.storage.dll+16e451|C:\Windows\System32\windows.storage.dll+16e09e|C:\Windows\System32\windows.storage.dll+16f340|C:\Windows\System32\windows.storage.dll+16ddee|C:\Windows\System32\windows.storage.dll+fce8d|C:\Windows\System32\windows.storage.dll+fd5cc|C:\Windows\System32\windows.storage.dll+fc930|C:\Windows\System32\windows.storage.dll+16650a|C:\Windows\System32\windows.storage.dll+166262|C:\Windows\System32\SHELL32.dll+9cafd|C:\Windows\System32\SHELL32.dll+9b696|C:\Windows\System32\SHELL32.dll+8dfa9|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+9a673|C:\Windows\System32\SHELL32.dll+9a53b|C:\Windows\System32\SHELL32.dll+99e57|C:\Windows\System32\SHELL32.dll+5d8fe|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000304929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.324{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Temp\upload_files\ATTACKRANGE\Administrator{D25361F1-D527-6305-3399-180000000000}0x1899332HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.execalc 23542300x8000000000000000304928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.340{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=ACECD38E8DF1977F71B6DE5D378FE231,SHA256=38228A473AA341A3E17897DFB01CCE0EA7D0DF8B3158A80214A0DCEF6DF914C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.335{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.335{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.335{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.334{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.334{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000304922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.334{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93E-6305-9705-000000007502}2140C:\windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 13241300x8000000000000000304921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.321{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\win32calc.exe.ApplicationCompanyMicrosoft Corporation 13241300x8000000000000000304920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.321{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\win32calc.exe.FriendlyAppNameWindows Calculator 13241300x8000000000000000304919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.307{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\calculator_calculatorDWORD (0x00000000) 354300x8000000000000000304918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.157{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61533-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000304917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:09.157{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61533-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 13241300x8000000000000000304916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.290{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x8000000000000000304915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.290{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x8000000000000000304914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.290{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x8000000000000000304913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.290{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\wininet.dll11.00.14393.5127 (rs1_release_inmarket.220514-1756)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB9D348470B507BC5761495A04335B06,SHA256=F538BC5C83DC2A3ECAF99BA1786066A6D511DA2BC3971B937882171315AA46C0,IMPHASH=3A3043B2614699B8AF49F62AD14660B1trueMicrosoft WindowsValid 10341000x8000000000000000304912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.274{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.274{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.274{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000304909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.274{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000304908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.257{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000304907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.257{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000304906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.257{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000304905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.257{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000304904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.257{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000304903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.241{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 23542300x8000000000000000304902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.104{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A985417C2412BDE054C158E01C1795,SHA256=D7C90F96D7BFA94AEF197D6049EEE5EC90BBF0EC8A397812EB88BD6A10FB6CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.088{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E52B37C5A5624F5E0CA4158F1DEFBE1F,SHA256=5791C32EAE1CF273595D6FF3E444E068A8AFF1F908EFB3AACCCB7D561D7008BF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000304900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.041{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000304899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.041{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000304898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.041{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\iertutil.dll11.00.14393.5291 (rs1_release.220806-1444)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=52FD1288FED0BD435BBA02023D8A5394,SHA256=C277A8E6B6E25656085647270AF0D6673DD3C6B29C99260825CD5909FCB82549,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000304897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.041{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\urlmon.dll11.00.14393.5291 (rs1_release.220806-1444)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=EB23BDE140B2A7A40A10923024B4B945,SHA256=F839955D9722980FEC4540AC2FFE3C8225434A40FDF12C7F6A67E9FF3B7AA7E8,IMPHASH=E530C982EE775310D0834EA7C551BBFDtrueMicrosoft WindowsValid 734700x8000000000000000304896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.041{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\WinTypes.dll10.0.14393.5192 (rs1_release.220610-1622)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=F3BCB5B813B4FB4010138BE1BD58F4C4,SHA256=E5879F56DBBC6270E05DE601288AB45868E349024B6C4FDACA6BDF51D7F5C97A,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000304895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.035{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Shell.ServiceHostBuilderMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Shell.ServiceHostBuilder.dllMD5=BAE7C7806F172B14686A3F22A92B3F6B,SHA256=F99E2CEA34785407A7127920360AC8F34CFE4B982D15B69B3C8B9902ADECECA1,IMPHASH=0E55B6055EE0F1C836E9516928D58A99trueMicrosoft WindowsValid 734700x8000000000000000304894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.037{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 10341000x8000000000000000304893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000304891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-D01B-6305-1600-000000007502}12882000C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-D01B-6305-1600-000000007502}12881324C:\Windows\system32\svchost.exe{D25361F1-F93E-6305-9805-000000007502}6708C:\windows\system32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000304889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000304888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000304887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000304886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.000{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DD,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000304885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-F93E-6305-9805-000000007502}6708C:\Windows\System32\calc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 12241200x8000000000000000304884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-DeleteKey2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x8000000000000000304883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 13241300x8000000000000000304882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exeHKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecordBinary Data 13241300x8000000000000000304881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\UsnQWORD (0x00000000-0x00000000) 13241300x8000000000000000304880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\IsOsComponentDWORD (0x00000001) 13241300x8000000000000000304879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\LanguageDWORD (0x00000409) 13241300x8000000000000000304878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\SizeQWORD (0x00000000-0x00038e00) 13241300x8000000000000000304877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\AppxPackageRelativeId(Empty) 13241300x8000000000000000304876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\AppxPackageFullName(Empty) 13241300x8000000000000000304875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\BinProductVersion10.0.14393.0 13241300x8000000000000000304874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\LinkDate07/16/2016 02:23:21 13241300x8000000000000000304873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\ProductVersion10.0.14393.0 13241300x8000000000000000304872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\ProductNamemicrosoft® windows® operating system 13241300x8000000000000000304871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\BinaryTypepe64_amd64 13241300x8000000000000000304870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\BinFileVersion10.0.14393.0 13241300x8000000000000000304869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\Version10.0.14393.0 (rs1_release.160715-1616) 13241300x8000000000000000304868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\Publishermicrosoft corporation 13241300x8000000000000000304867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\OriginalFileNamecmd.exe 13241300x8000000000000000304866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\Namecmd.exe 13241300x8000000000000000304865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\LongPathHashcmd.exe|5ce9ba8d0d54ad10 13241300x8000000000000000304864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\LowerCaseLongPathc:\windows\system32\cmd.exe 13241300x8000000000000000304863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\FileId000099ae9c73e9bee6f9c76d6f4093a9882df06832cf 13241300x8000000000000000304862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\cmd.exe|5ce9ba8d0d54ad10\ProgramId0000f519feec486de87ed73cb92d3cac802400000000 734700x8000000000000000304861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9A05-000000007502}3204C:\Windows\System32\svchost.exeC:\Windows\System32\ClipSVC.dll10.0.14393.4169 (rs1_release.210107-1130)Client License ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationClipSVC.dllMD5=96D21C2596ACCF851D333CF78B56ACDB,SHA256=E356FF7A84952095B23AFD106F4A4C164EC31E652D4DE46E2F3B41151184A84D,IMPHASH=F9F97E5D1EFD7C464E57BA099D1C73AFtrueMicrosoft WindowsValid 924900x8000000000000000304860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exe\Device\Harddisk0\DR0 924900x8000000000000000304859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.015{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exe\Device\HarddiskVolume1 734700x8000000000000000304858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.000{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000304857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.000{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000304856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.000{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 12241200x8000000000000000304855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-DeleteKey2022-08-24 10:11:11.000{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x8000000000000000304854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:11.000{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 734700x8000000000000000304853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.968{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=ED29C426ADF167F9AEBBF2A7F4F4C55F,SHA256=A5E521F4409FCBDF2B82C97BF6FFBEFFD145F9FEBFE8182A8CE4B53ED69AD9BC,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 12241200x8000000000000000304852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-DeleteKey2022-08-24 10:11:10.984{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x8000000000000000304851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:10.984{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\system32\WerFault.exe\REGISTRY\A\{01a0a6e2-c50b-340c-f0b4-99fc0aed6d88}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 734700x8000000000000000304850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:10.984{D25361F1-F93E-6305-9B05-000000007502}5532C:\Windows\System32\WerFault.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 354300x8000000000000000316503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:10.845{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55404-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000316502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:12.196{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FCFF7F3FADC9A7D54CBD066B05586D,SHA256=F58718BC4BD7B90DADEFD020F02438C6D80BF187659488D567D4EF169B5A3F10,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000305160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:12.766{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d8b7a1-0xd6bb8aad) 10341000x8000000000000000305159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:12.766{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000305158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:12.766{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000305157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:12.766{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa16821.TMPMD5=7C93E0E6DCAB68B9BCC4A82C8177A955,SHA256=A68F241C43CB569619FD463D3B05D59F2CDDBA1A0B0BFA98F8E433A34B35189A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000305156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:12.246{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA2677A3DC982B9F1D41EA8181B4F97,SHA256=2B9B4AC6FD43D1E4FEA4E876EDD327F2B3A65BD0B34F5CADF904667F86D9D681,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000305155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.976{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 354300x8000000000000000316505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:12.033{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55405-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:13.295{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85B041EB1CF462880920CFCBBCFB107,SHA256=7DB7A9E523291711DD231F69B6415F70AB4A11AB3F2811919904A64C0F2C3D64,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000305171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:13.883{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000102E6\VirtualDesktopBinary Data 10341000x8000000000000000305170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:13.812{D25361F1-D528-6305-3A01-000000007502}47606656C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:13.812{D25361F1-D528-6305-3A01-000000007502}47606656C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:13.812{D25361F1-D528-6305-3A01-000000007502}47606656C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000305167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-DeleteKey2022-08-24 10:11:13.812{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000102E6 10341000x8000000000000000305166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:13.812{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:13.812{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:13.812{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:13.812{D25361F1-D528-6305-3A01-000000007502}47604968C:\Windows\Explorer.EXE{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000305162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:11.281{D25361F1-F934-6305-9005-000000007502}6004C:\Temp\upload_files\c2_agent.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61534-false10.0.1.16ip-10-0-1-16.us-east-2.compute.internal8081- 23542300x8000000000000000305161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:13.082{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7183DD861F04B06B5CB740E308067625,SHA256=5961982B6759AEAB14EABC32DA4A4638AA3FD8D38D4657C655944E6A8520A726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:14.413{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAB203ADD104DACCB7333F34E59D76D,SHA256=CE2BDE0698BCFF4373C0BF3B0470A95E0F2C3B66A74A1BB308C64E880B4BB1C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000305173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:12.533{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61535-false10.0.1.12-8000- 23542300x8000000000000000305172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:14.183{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE619D2E9C8A5F77EF5BD3080FA48E32,SHA256=1BB08A26B6E8ACD75E618495FF464D008867A47DB687A7365F1C89AAFF440C75,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000316507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:11:14.164{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000316506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:11:14.164{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Abgrcnq++\abgrcnq++.rkrBinary Data 23542300x8000000000000000305175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:15.949{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-170MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000305174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:15.284{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F86D655E476B5766625BF29A699AE7E,SHA256=FCFF47566D0CF03483CAD331572B58E4A7D0255553D10ABDB317E46A0EF47925,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:15.991{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:15.982{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:15.974{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:15.972{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000316510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:15.532{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5725612D42E439C39ED7BC805E68168F,SHA256=83A9D87CDC522E41BA838BB68F7E6B11D4BAEECA5D16A2688C43F771BA2173A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:15.462{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\datareporting\glean\db\data.safe.binMD5=C3B9C8A8E97D9A8F81706A1AAC2FB11A,SHA256=C842129159B8AA01D1C0D7CB930813034C39F581101FE53BA7841C3EB3DF379E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000305179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:16.953{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-171MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000305178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:16.822{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000305177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:11:16.822{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jva32pnyp.rkrBinary Data 23542300x8000000000000000305176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:16.390{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD38F9D1F179D5616E949B38000AE937,SHA256=7CDBDB0CB849773CF50C28B4402AC76EDB557AE8B7974A405D0480B92DA4A54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.512{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3585C6B2D574F424D9111A35BCF4E9FE,SHA256=65196D6172BD9515597C922781992F921B146AE99C099B162275C19867866F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.494{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4C6E9CCDC4C9992C761CFF39145BE4,SHA256=228F2BB5CA93C466F067FD3070C6E015D0415C9C502199F604B133B5BF624442,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.314{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.310{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.308{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.304{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.299{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.296{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.293{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.290{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.285{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.275{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.258{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.256{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.253{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.252{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.230{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.216{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.183{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.177{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.164{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.156{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.154{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.151{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.149{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.145{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.139{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.137{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.136{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.135{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.133{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.130{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.126{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.120{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.114{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.107{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.104{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 13241300x8000000000000000316528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:11:16.092{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXEHKU\S-1-5-21-615810692-2190200166-3691174995-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d8b7a1-0xd8b7204a) 10341000x8000000000000000316527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.092{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.090{F6DB49F2-D1AD-6305-C400-000000007602}32723456C:\Windows\Explorer.EXE{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802862D9CD8)|UNKNOWN(FFFFBE9304277E08)|UNKNOWN(FFFFBE9304277F87)|UNKNOWN(FFFFBE9304272611)|UNKNOWN(FFFFBE9304273FDA)|UNKNOWN(FFFFBE9304272296)|UNKNOWN(FFFFF80285FEF503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000316525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.090{F6DB49F2-D1AD-6305-C400-000000007602}32723456C:\Windows\Explorer.EXE{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802862D9CD8)|UNKNOWN(FFFFBE9304277E08)|UNKNOWN(FFFFBE9304277F87)|UNKNOWN(FFFFBE9304272611)|UNKNOWN(FFFFBE9304273FDA)|UNKNOWN(FFFFBE9304272296)|UNKNOWN(FFFFF80285FEF503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000316524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.090{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa17659.TMPMD5=6D6BD8A8E2BA8577192AABEA150A270E,SHA256=453D7E99537D1CA6B3B99053228CD0E2B579C7AD539D740B712D46F5CD634035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.082{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.069{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.063{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.052{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.044{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.020{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.015{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000316516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:14.232{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55406-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000316515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.007{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000305180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:17.477{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE08B0DAA51D379C3F2AFA69A479B6E,SHA256=83D9A25C65ABCA4C7BD14A523F789D17B099A55DB5008FDE94E91A2096560D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:17.597{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633EE5ACC75363D75A2CA8C73E9C244C,SHA256=8D2A8FB9EAE5E6980A7152AA3DC33620334EFFE093549FF32F920830068DC703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000305181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:18.590{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3012BEF351CB3A10A6650F6B4AFC0B9,SHA256=FD18A53A4E7ADC3030693D4382B071A5AA63EB41451B8D0D72EED67DAA8A3851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:18.714{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255341DC1A880A23F4B31208BFE3CFF2,SHA256=8160EEB767AFAE2E77A0A8537355E96A996F903FE8ECA154D908FBDA253A21D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000305184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:19.790{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0273A5786B9FBD498DEA11CDE64E8CE8,SHA256=2988E632DFF160F2A837DD09D02BB7C0C7834AEA012BE1BECC0BFB381F29C33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:19.847{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842659C7B6DFA36E3374540A7463DD8E,SHA256=8EB9294F5D404B285826D48685A9726754C94CA003A445A852E0030EA9114AD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000305183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:17.641{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61536-false10.0.1.12-8000- 23542300x8000000000000000305182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:19.073{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=7350908CD5C8853146FF9F9C3C22AF8A,SHA256=10C2754521B98AF2BA7283B55E56A6FEA36CE53A48C5612346D6AAB3F1896A7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.823{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55408-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000316570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:16.531{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55407-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000305186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:20.891{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60584002ACC1748640BDEF443B748A7B,SHA256=DF58AE6B0366FAB329EFA120429F8E0A01AA8956312AC46CA6A49E195FE001CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:20.962{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836DC237AC98A831169EEAD4B1FD3764,SHA256=95BEACD19EB3B76ABB305075EDEE16C83EA0E401650EDA8E4E2953F600FEC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000305185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:11:20.657{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:11:18.714{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal55409-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https